$110,000 Fine Is First Under MA Data Privacy Law 97
chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."
Fine was NOT for Breach Law Violation (Score:5, Informative)
125,000 accounts (account number, cardholder name, expiration date and secure code) were exposed.
Here are alot more details [massdataprivacylaw.com] and the complaint [massdataprivacylaw.com]
Briar Group was ordered to comply with the Data Law, but they were NOT fined under that law which went into effect after the data breach was eliminated. They were fined for violation of Title XV,Chapter93A [malegislature.gov]
Much better information here .... (Score:5, Informative)
When I read the article cited in the OP, the first question I had was how many accounts were compromised. Nothing on that in the article. So, I looked at the AG's press release. Not a word about it there, either. That seemed suspicious to me, so a bit more digging revealed this link:
http://www.massdataprivacylaw.com/data-breach/massachusetts-attorney-general-v-briar-group-llc---data-breach-settlement---the-details/ [massdataprivacylaw.com]
... with such tidbits as the charges were laid by the AG in court on the same day the settlement was announced. Go ahead, check out the link, there's more. Much more.
Anyway, the number of accounts was an interest to me because I wanted to see exactly what the AG valued a breach at .... in other words, what is a company likely to pay in a fine for negligently giving my CC details away? Turns out the value is about a dollar ... there were 125,000 CC accounts compromised and each compromise included the cardholder's name, CC#, expiry dates and the secure code. In other words, "Jackpot" data.
Re:money grab (Score:4, Informative)
As a merchant I deal with credit credit card chargebacks on a regular basis. All a customer has to say is that is not my charge. We have to send back documentation, such as proof of signature. If the charge happened at the credit card readers at our gasoline dispensers, we have no signature, and we eat the charge. We have even offered to provide the customer or issuing bank with the license plate number and picture of person and vehicle charging, but that means nothing. That is why in many locations you need to enter your zip code at a pay at the pump, this offers some security to the merchant, even though by rule the merchant still must eat the charge if the customer balks.
Now if the merchant goes tits up or goes bad and steals money from the customers credit cards and can't pay it back, then the merchant's processing ISO is on the hook. The processor isn't Visa/Mastercard or the issuing bank, it is someone like First Data or a myriad of other middle men. The processor gets as little as 3 to 6 cents a transaction, passing the interchange cost to the merchant. The merchant has paid anywhere from 50 cents a transaction to 3% for the convenience of letting a customer pay with credit.The issuing banks and the cartel of Visa/Mastercard are on the hook only if the processor goes under. And even then it is the issuing banks that deal with the customer directly and they are the only ones who can decide to credit or not credit the customer.
The problem with this system in the United States is that the entities that make money off of credit card transactions, i.e. the issuing banks, have absolutely no incentive to make the system more secure. They do none of the work, other than marketing their credit cards and profiting off of their card holders who use their cards and the merchants who accept their cards