On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. (“MPI”), a property management firm, executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of an unencrypted company-issued laptop. The laptop contained personal information of more than 600 Massachusetts residents and was left in an employee’s car overnight. MPI has indicated that it has no evidence of unauthorized access to or use of the personal information in connection with this breach.
According to allegations in the Assurance, MPI violated the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth by maintaining personal information on an unencrypted laptop and by failing to comply with its own written information security program.
In addition to paying a civil penalty of $15,000, MPI must comply with the Massachusetts regulations “in all respects,” including by “encrypting, to the extent technically feasible, all personal information stored on laptops or other portable devices.” MPI also must comply with the provisions of its written information security program, which include:
- ensuring that all portable devices are kept in a secure location at all times;
- ensuring that personal information is not maintained on portable devices for longer than necessary and only for business purposes;
- ensuring that personal information maintained on portable devices is and remains encrypted;
- training MPI’s workforce at least once a year on the polices and procedures with respect to maintaining the security of personal information; and
- auditing compliance with the company’s written information security program at least once a year.
The MPI settlement is the third breach-related enforcement action by the Massachusetts Attorney General’s Office that we’ve reported on in the past year. In August 2011, we reported on Attorney General Coakley’s $7,500 settlement with Belmont Savings Bank, and in March 2011, we reported on the AG’s $110,000 settlement with a Briar Group, LLC.