Forgot your password?
typodupeerror
Privacy Security The Courts IT

$110,000 Fine Is First Under MA Data Privacy Law 97

Posted by timothy
from the good-start dept.
chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."
This discussion has been archived. No new comments can be posted.

$110,000 Fine Is First Under MA Data Privacy Law

Comments Filter:
  • by Anonymous Coward

    In Texas companies are encouraged to poison and steal from their customers.

    Malware, Natural Gas Fracking, Pollution

    Rick Perry invites you all to use Texas as a dumping ground for the byproducts of corporate greed.

    We've even changed our motto to "Mess with Texas"

    • by theillien (984847)
      At one point I submitted the suggestion that they change it to "Messed Up Texas", but no one knew what I was talking about.
  • Norton Antivirus 2003?
    • by winkydink (650484) * <sv.dude@gmail.com> on Tuesday March 29, 2011 @07:46PM (#35660612) Homepage Journal

      Everything here could happen to almost any SMB out there. But to keep taking credit cards _after_ knowing you've been hacked?

      • The chance of getting fined is a possible loss of revenue. Not taking credit cards is a definite loss of revenue. Not taking credit cards for a couple of weeks while you replace / reformat all machines in the company that could be hiding malware would cost far more than $110k.
  • When visiting a bar or restaurant, bring cash.

    Or pre-paid debit card you keep with only a small amount loaded on it.

    Minimize the use of CCs and checking/loan-account-linked cards

    • by Anonymous Coward

      When visiting a bar or restaurant, bring cash.

      or grocery stores... seriously, walmart, small chains, large chains. It doesn't matter.

      If the point of sale system is maintained by people in the point of sale business.... RUN.
      These guys moved into computers from maintaining hardware registers. my grandmother knows more about data security than most of them.

      The worst part is when they do accidentally hire a computer specialist, they fire them for not "getting it", then get the government/major POS software vendor to throw the book at you for being an "unli

    • by Anonymous Coward

      Why would I go through all that trouble to protect my bank's liability? My money is not at risk of credit card fraud. The banks have lost several thousand dollars due to poor security that resulted in my accounts being compromised previously. I continue to not take any additional effort towards security when a picture of a piece of plastic is all that's necessary to steal money from them... not my problem.

    • Re:Lesson... (Score:4, Insightful)

      by LordNimon (85072) on Tuesday March 29, 2011 @07:48PM (#35660628)

      Why should I? If there are any fraudulent charges, my credit card company will reverse them. Constantly reloading a debit card is a big hassle, and carrying around that much cash with me is unsafe.

    • Re:Lesson... (Score:5, Insightful)

      by Ruke (857276) on Tuesday March 29, 2011 @07:50PM (#35660654)
      While it is valuable to keep security in mind, I think that you might be taking it a little over the edge. Despite the fact that identity theft does happen, the rate at which it happens is low enough that the benefit of using credit outweighs the risk of having your identity stolen. Keeping an eye on your bank statements, and immediately contacting your bank in the event that any suspicious charges show up,seems to be much more reasonable strategy for 95% of the population than carrying large amounts of cash.
    • by couchslug (175151)

      That way your tips have better odds of going to your server.
      Nothing wrong with cash at all.

      • Depends on the restaurant; some place have each server log in and take the cards so the tip definitely goes to the right place - and their taxes are easier. Other places, where they just have the cheap card reader separate from the register, may not get stuff properly distributed.

        • by Miseph (979059)

          You seem to be under the impression that cash tips are generally logged properly such that taxes can be properly paid.

          That's adorable.

          Speaking of which... good news! The Easter Bunny is coming in just a few more days! Get ready for candy!

          • I meant easier for the government. I pay taxes on /my/ income, so I'll be damned if I'm gonna leave cash for a waiter just so he can cheat on his. Waiters can just learn to cheat their taxes through abusing the complex tax code like the rest of us.

          • by mysidia (191772)

            You seem to be under the impression that cash tips are generally logged properly such that taxes can be properly paid.

            Failing to log and properly report the tip income is a crime (tax fraud), and unethical. I believe tips are generally logged properly. If you find reason to believe you have found some organization or person who is an exception, to logging tips properly, file IRS form 3949-A, with the appropriate information.

            The law and the stiff penalties for intentionally disobeying it or neglige

            • My wife worked at a number of restaurants where amazingly the claimed tips by servers always hit the 8% mark, nothing more, nothing less. The justification made by her coworkers was that some nights they make less than the 8% so averaging it out was "OK" to them. I always try to pay my meals & tip using a card, that way I'm fairly confident the tips are being captured accurately for both taxes and the shared tips (table bus staff, cooks, prep staff, etc... that may be due a share based on restaurant p
            • by Miseph (979059)

              If I'm going to start busting on tax evaders, I'll dig up dirt on people who already make more than they could spend anyway, the ones with no good excuses or reasons.

              My friends and former coworkers taking shifts waiting tables to make ends meet... nope, they're good.

      • by hldn (1085833)

        implying i leave tips.

    • Minimize the use of CCs and checking/loan-account-linked cards

      Also a good idea because you probably have a Visa or Mastercard, in which case using your credit card is like donating to Satan. But a real Satan, who is less metal and more politically influential.

  • The average ID fraud in 2009 was for over $4000. They had open access to CC details for 8 months! Even the out of pocket expenses per fraud victim is over $600, so if there were 200 victims as a result of this company's lax security, the fine isn't even on par with the individual cost of those affected, which is absurd.

    Though, TFA is obscenely light on detail, so it's possible that their security issue actually caused no individual harm and only led to the possibility of harm having occurred. I suspect t
    • by Solandri (704621)

      The average ID fraud in 2009 was for over $4000. They had open access to CC details for 8 months! Even the out of pocket expenses per fraud victim is over $600, so if there were 200 victims as a result of this company's lax security, the fine isn't even on par with the individual cost of those affected, which is absurd.

      From TFA, it sounds like the only customer info on the compromised system was credit and debit card numbers. Cardholder liability for fraudulent use of their credit card is limited to $50 [wikipedia.org] b

    • We are talking about a regional restaurant chain, not a billion dollar corporation. I can't find any financials, but the website for the company says they have a grand total of 7 locations.

      $110,000 is likely a very large fine for this company.

  • by Charliemopps (1157495) on Tuesday March 29, 2011 @07:35PM (#35660518)
    While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...
    • by ProfM (91314)
      In addition, since this is a restaurant, the profit margins are typically thin. A $110,000 fine could be enough to put them under.
      • by LordNimon (85072)

        So? Negligence with customer data is a serious offense. If they do go under, they'll be held up as a warning to others.

    • by ShakaUVM (157947)

      >>While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

      Anyone that can claim damages from this breech should probably get compensated.

      Though most of the time, you just tell your credit card company certain charges are invalid, and they waive them.

      Credit card companies don't take 2% of every bill for nothing, you know.

      • by compro01 (777531)

        Though most of the time, you just tell your credit card company certain charges are invalid, and they grab the money from the merchant, which may then get passed to business insurance, if they're lucky

        FTFY. If you think the credit card companies pay for fraud, you're crazy. If they actually were having to eat those costs, we might get actual security in this system.

        • by ShakaUVM (157947)

          >>FTFY. If you think the credit card companies pay for fraud, you're crazy. If they actually were having to eat those costs, we might get actual security in this system.

          If merchants verified everything they were supposed to, then the financial institution bears the cost of the fraud.

          http://en.wikipedia.org/wiki/Credit_card_fraud#Merchants [wikipedia.org]

          • Re:money grab (Score:4, Informative)

            by gcatullus (810326) on Wednesday March 30, 2011 @03:19AM (#35663754)

            As a merchant I deal with credit credit card chargebacks on a regular basis. All a customer has to say is that is not my charge. We have to send back documentation, such as proof of signature. If the charge happened at the credit card readers at our gasoline dispensers, we have no signature, and we eat the charge. We have even offered to provide the customer or issuing bank with the license plate number and picture of person and vehicle charging, but that means nothing. That is why in many locations you need to enter your zip code at a pay at the pump, this offers some security to the merchant, even though by rule the merchant still must eat the charge if the customer balks.

            Now if the merchant goes tits up or goes bad and steals money from the customers credit cards and can't pay it back, then the merchant's processing ISO is on the hook. The processor isn't Visa/Mastercard or the issuing bank, it is someone like First Data or a myriad of other middle men. The processor gets as little as 3 to 6 cents a transaction, passing the interchange cost to the merchant. The merchant has paid anywhere from 50 cents a transaction to 3% for the convenience of letting a customer pay with credit.The issuing banks and the cartel of Visa/Mastercard are on the hook only if the processor goes under. And even then it is the issuing banks that deal with the customer directly and they are the only ones who can decide to credit or not credit the customer.

            The problem with this system in the United States is that the entities that make money off of credit card transactions, i.e. the issuing banks, have absolutely no incentive to make the system more secure. They do none of the work, other than marketing their credit cards and profiting off of their card holders who use their cards and the merchants who accept their cards

            • by ShakaUVM (157947)

              Fascinating, thanks.

              Makes a little more sense why we have to put up with that Verified By Visa crap.

          • It doesn't really matter who pays, as the cost will be passed onto the customer in the end. The only way to ensure that on the credit card companies is either A. higher processes fees, or B. make the merchant accountable in reality for the most part on fraud. They are smart enough to "hold" the money, so it shouldn't be a surprise that it is both ways.

    • by bmo (77928)

      We, as a society, have chosen fines as a reasonable way to penalize businesses that do things the wrong way. It's not about "making someone whole." It's about exacting punishment to make an example for others and to motivate businesses not to do unwanted behavior.

      So, what's your real problem with this? We should expect businesses to not play silly buggers with credit card information. I'm sorry if I don't shed a tear here.

      --
      BMO

    • While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

      Generally they would get their money back through their credit card companies or banks. I don't have a problem with the money going into the government like most fines which are punitive in nature.

    • by Darinbob (1142669)

      It's a punitive fine. The intent is to hurt enough that the company decides it needs to get on the ball. If the fine is too low then companies in the past have just factored this in as a cost of doing business. Ie, they may feel it's less expensive overall to not pay someone to implement better security.

    • by Silverlock (36154)

      While I agree that credit card fraud is getting worse and we need to do something, I object to the immediate demonization of the restaurants as 'incompetent'. In this case, the restaurant group is a larger group with more money to play with, but what about single mom-and-pop restaurants? They may be extremely competent at running a restaurant..

      Is it reasonable to suggest that every restaurant or store that takes credit cards must be run by certified network security geeks? No. The reason this is happening i

  • Certainly it doesn't go to the people whose information was handled poorly. Are they even contacted?

  • by Haedrian (1676506) on Tuesday March 29, 2011 @07:41PM (#35660572)

    "essentially, get its *&@! together."

    Yeah, get your special characters together!

    • by Qzukk (229616)

      Previously their password was password. Now they'll need at least one special character, so it'll be password!

    • by DavidD_CA (750156)

      Maybe if special characters were used in the firstplace, the systems wouldn't have been so easily hacked. ;)

  • I applaud the steps Massachusetts is taking to protect people's personal data, but at some point the fines and fees incurred by businesses here in Massachusetts will be enough to convince them to pack up and move to neighboring states where they can be more profitable. Our governor Deval will claim to have been "blindsided" by this Mass Exodus (pun intended).
    • And good riddance.

    • and if you expect your man to help you around the house, he's going to find another less-nagging woman. Thanks for the business and relationship advice Good Housekeeping 1957.
    • Is there any flavor of malfeasance or negligence that we should punish, or do we have to live in constant terror of our precious businesses taking their ball and going home no matter what?
      • by bmo (77928)

        >Is there any flavor of malfeasance or negligence that we should punish?

        According to the randroid trolls on this topic, none.

        --
        BMO

    • by Darinbob (1142669)

      $110K seems a reasonable fine for a business of that size. Make the fine lower and they'll shrug it off. A fine has to hurt a little to be worthwhile. And it's a restaurant chain, what are they going to do move to Pennsylvania and hope the Boston residents make the drive? This doesn't fall into the area of government oppression and the jobs aren't going to vanish.

    • by ktappe (747125)

      I applaud the steps Massachusetts is taking to protect people's personal data, but at some point the fines and fees incurred by businesses here in Massachusetts will be enough to convince them to pack up and move to neighboring states where they can be more profitable. Our governor Deval will claim to have been "blindsided" by this Mass Exodus (pun intended).

      It was only a matter of minutes until a pro-business shill like you came along to claim that this move was somehow wrong. There was NOTHING WHATSOEVER wrong with the government's move here. If anything the damages were too low, for this was a case of protracted and blatant data insecurity that greatly endangered the financial well being of all their customers. Punishing this type of behavior is way WAY more important than protecting your precious business base.

    • And then only businesses that obey the law will be left!

  • I was surprised about a half year later, that the hotel sent me a birthday card. I mentioned this to a colleague (a security specialist), who stayed often in the same hotel. I found it amusing, but he told me, "Now imagine that they get new computers, and the old ones are given away . . . with all our private data on it."

    Food for thought . . .

  • Why wouldn't the company just hide the data breach? There wouldn't be that many people in the company that would know about it. Easy enough to keep a lid on it. That's what control fraud is for, anyway.
    • by gcatullus (810326)

      They can't because of the PCI standards, you are required to have a secure system scan for crap etc now to be allowed to processor cards. Now not all processors are enforcing the standards some are just collecting a "non-compliance" fee every month. In addition, the issuing banks can correlate stolen credit card numbers with the merchant that they were last used properly at.

  • It only serves to destroy what really matters to you.

  • So, they started with small fry... Long way to go, then.
  • by 517714 (762276) on Tuesday March 29, 2011 @09:08PM (#35661380)

    125,000 accounts (account number, cardholder name, expiration date and secure code) were exposed.

    Here are alot more details [massdataprivacylaw.com] and the complaint [massdataprivacylaw.com]

    Briar Group was ordered to comply with the Data Law, but they were NOT fined under that law which went into effect after the data breach was eliminated. They were fined for violation of Title XV,Chapter93A [malegislature.gov]

  • What does the phrase "get its fuck together" mean?

  • Anyone know anywhere else that has similar laws? I'm in Arizona, and I can't imagine we have this sort of thing (mostly weak consumer protection). I know California has pretty strict data breach laws, requiring you notify everyone that could be affected.
  • by gordguide (307383) on Wednesday March 30, 2011 @12:53AM (#35663090)

    When I read the article cited in the OP, the first question I had was how many accounts were compromised. Nothing on that in the article. So, I looked at the AG's press release. Not a word about it there, either. That seemed suspicious to me, so a bit more digging revealed this link:

    http://www.massdataprivacylaw.com/data-breach/massachusetts-attorney-general-v-briar-group-llc---data-breach-settlement---the-details/ [massdataprivacylaw.com]

    ... with such tidbits as the charges were laid by the AG in court on the same day the settlement was announced. Go ahead, check out the link, there's more. Much more.

    Anyway, the number of accounts was an interest to me because I wanted to see exactly what the AG valued a breach at .... in other words, what is a company likely to pay in a fine for negligently giving my CC details away? Turns out the value is about a dollar ... there were 125,000 CC accounts compromised and each compromise included the cardholder's name, CC#, expiry dates and the secure code. In other words, "Jackpot" data.

  • A restaurant? C'mon, can you get any smaller when targeting a business? Anyone else here thinking we're getting a scapegoat as a "look, we do something about your privacy concerns" showpiece?

    Wake me when a corporation gets slapped for selling my info. 'til then, nothing to see here.

    • Would you rather them ignore smaller businesses just because they're small?

      Your argument makes no sense. Corporations are not *selling* your personal information (as defined by the MA law), so it's not covered. In this case, certain information was compromised (financial details) and that's what they go after.

      It's the first step in the right direction.

Memory fault -- brain fried

Working...