On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. The Final Judgment stems from an April 2009 information security breach in which outside hackers used malware to gain access to Briar Group’s computer systems and extract payment card information about the company’s restaurant and bar customers. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.
According to the Attorney General, the Final Judgment “works to ensure that steps have been taken to protect consumer information moving forward.” Although the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) did not become effective until after the April 2009 breach, the Attorney General used the regulations as a reference point for identifying deficiencies in the company’s approach to information security. In its complaint against Briar Group, the Attorney General alleged, among other things, that the company (i) failed to change default usernames and passwords for its point-of-sale system, (ii) allowed employees to share passwords, (iii) did not appropriately limit the number of employees with administrative access to company systems, and (iv) stored payment card information in clear text on its servers. Taken together, these deficiencies allowed the breach of Briar Group’s systems to continue unabated until approximately December 2009.
In her announcement of the Final Judgment, Massachusetts Attorney General Martha Coakley explained that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” With this in mind, and 201 CMR 17.00 now firmly entrenched, companies handling personal information about Massachusetts residents should be prepared. Hint: That means have a WISP and follow it!