Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

In a February <a href="https://www.dataprivacymonitor.com/payment-card-industry/hospitality-and-food-and-beverage-industries-still-targets-of-hackers/">co-post </a>with Baker Hostetler&rsquo;s <a href="http://www.hospitalitylawg.com/">Hospitality Lawg</a>, we wrote about security breach reports that continued to show hospitality and restaurant groups as favorite targets of hackers.&nbsp; Two of the factors we cited as explanations for their vulnerability&mdash;failure to secure wireless networks and not complying with the Payment Card Industry Data Security Standard (PCI DSS)&mdash;appear to have led to a breach that compromised payment card data and cost a Boston restaurant group more than $100,000.&nbsp;
On March 28, a company that owns and operates six Boston restaurants settled a lawsuit filed by Massachusetts Attorney General Martha Coakley, which alleged that the company failed to take reasonable steps to protect its customers&rsquo; personal information.&nbsp; Specifically, the lawsuit alleged that the company&rsquo;s deficient computer security standards allowed an April 2009 breach, which exposed credit card account data of thousands of its customers.&nbsp; The <a href="http://www.mass.gov/?pageID=cagopressrelease&amp;L=1&amp;L0=Home&amp;sid=Cago&amp;b=pressrelease&amp;f=2011_03_28_briar_group_settlement&amp;csid=Cago">press release</a> from the Massachusetts AG indicates that the breach went undetected for eight months.&nbsp; The deficient security standards alleged in the complaint include: failing to change default usernames and passwords, failing to secure its remote access and wireless network; and continuing to accept credit cards after it learned of the breach.
The judgment requires the restaurant group to: (1) pay $110,000 in civil penalties; (2) comply with the Massachusetts data security regulations (which were not in effect at the time of the breach); (3) comply with PCI DSS; and (4) establish and maintain an enhanced computer security network, including following a written information security program.&nbsp;&nbsp;&nbsp;&nbsp;

Restaurant Group Pays $110,000 to Settle Lawsuit Alleging a Failure to Secure Payment Card Data