On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information. The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year. The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.
The Superior Court judgment requires the Briar Group to (1) pay $110,000 in civil penalties to the Commonwealth of Massachusetts, (2) comply with Massachusetts data security regulations, (3) comply with the Payment Card Industry Data Security Standards, and (4) establish and maintain an enhanced network security system. Specifically, although the Massachusetts information security regulations were not yet in effect at the time of the breach, the settlement uses the regulations’ standards, requiring all Briar Group restaurants to develop a system to manage passwords and to implement, maintain and adhere to a written information security program.
In addressing the settlement, Attorney General Coakley emphasized that “[w]hen consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected.” Attorney General Coakley also stressed that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”