Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.
The Massachusetts Attorney General's office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag. Despite many headlines trumpeting the "first enforcement action," this action was not brought by the AG's office under the Massachusetts data security regulations. It was a consumer protection action brought by the Attorney General under the Massachusetts consumer protection law, 93A. 201 CMR 17.00 certainly played a part in the consent order and the Briar Group is required to implement a written information security plan, and supply a copy to the AG's office within 14 days of the order. The standards set out in 201 CMR 17.00 are the framework around which the settlement order is built, but the action was not one to enforce those regulations. Those are coming.
A copy of the consent order is here - Briar Signed Consent Judgment - 3-28-11 (3).pdf.
Much has been written and blogged over the last couple of days about the consent order. But, what should business take away from this? The retail and hospitality business is particularly vulnerable to data breaches due to the volumes of credit card information that they process every day. But they are also responsible for dealing with that aspect of their business as a part of doing business.
More after the jump.
As with earlier consent orders issued by the Federal Trade Commission, yesterday's order provides a mirror into which all business should look when examining current data security procedures -- and now is the time to undertake a review.
Questions to ask:
What is your company's password policy? Do you have one? Have all the "default" passwords on your credit card processing equipment (point-of-sale terminals, other access) been reset? Do all your employees have unique IDs and passwords? Are the passwords regularly changed? This is Security 101 and it did not happen in the Massachusetts case.
If your business has a point-of-sale (POS) terminal, when was it installed? How old is the technology? If there has not been an update of either hardware or firmware to accommodate new data security standards and new Payment Card Industry standards, your customers could be at risk.
Does your company have any endpoints that are unprotected? Is there a way that a hacker could exploit a vulnerability? How does one location communicate with another? Do you know?
When was the last time you had your network audited by a qualified specialist? If you collect credit card information, are you (and your hardware/software) PCI compliant? Do you know?
Do you educate employees on data security and the importance of protecting your customer's data?
One year later, if you use, collect, store or license the personal information of Massachusetts residents, do you have a written information security plan that complies with Massachusetts law?
The fine is relatively small, in comparison to the sheer number of records that apparently were compromised and the facts alleged by the Commonwealth in the Complaint. That is not, and should not be the takeaway. The intangibles -- negative press, loss of consumer confidence -- cannot be estimated.