March 29‚ 2010
Popular Restaurant Chain Settles Federal Trade Commission Data Breach Charges
“A requirement to establish and maintain a comprehensive information security program, designed to protect the security, confidentiality, and integrity of personal information…” Sound familiar?
This is nothing new to those who have been bringing their businesses into compliance with the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (the “Standards”), and for companies covered by the Standards and struggling with compliance, the latest Federal Trade Commission draft consent order should provide yet another impetus to get the required program in place.
Last week, the Federal Trade Commission (FTC) weighed in with another proposed settlement agreement requiring that a business that experienced a massive data breach in 2007 (well before the effectiveness of the Massachusetts regulations) do exactly the same—establish and maintain a comprehensive information security program as a condition of settling a consumer protection action arising out of that data breach. This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.
According to the FTC, Dave & Buster’s—a chain with 53 restaurant and entertainment complexes in various states—collects credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency alleges the company failed to take reasonable steps to secure this sensitive personal information on its computer network. Specifically, it failed to:
- Take sufficient measures to detect and prevent unauthorized access to the network
- Adequately restrict outside access to the network, including access by Dave & Buster’s service providers
- Monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization
- Use readily available security measures to limit access to its computer networks through wireless access points
The FTC alleged that, as a result of these failures, a hacker exploited some of those vulnerabilities, installed unauthorized software and accessed about 130,000 credit and debit cards. The banks that issued the cards have claimed several hundred thousand dollars in fraudulent charges.
The settlement also requires Dave & Buster’s to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.
This draft complaint and consent order has some relevance to the Massachusetts Standards. Had this data breach occurred on March 15, 2010 instead of back in 2007, and had the restaurant chain been without a comprehensive written information security plan, it could have been subject to the jurisdiction of the Massachusetts Attorney General’s office as well as the FTC, and subject to civil penalties for violations of 201 CMR 17.00. According to the FTC complaint, Dave & Buster’s operates across the country under the names Dave & Buster’s, Dave & Buster’s Grand Sports Café, and Jillian’s. The corporate website lists some locations in or near Massachusetts. The breach surely implicated “personal information of a Massachusetts resident,” bringing it squarely under the data security regulations. If you need further information on the Massachusetts Standards, please see our prior Client Alerts on this topic, or our Privacy Blog at Privacy and Security Information - Privacy MATTERS.
For assistance in this area please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Cynthia J. Larose, CIPP
Stephen R. Bentfield
Dianne J. Bourque
Susan L. Foster, Ph.D.
+44 (0) 20 7776 7330
Haydon A. Keitner
Julia M. Siripurapu
Bruce D. Sokler
Charles A. Samuels
Robert G. Kidwell
Jennifer E. Cleary