Massachusetts 201 CMR 17 — currently the toughest data protection law in the 50 states, according to some — has claimed its first victim. The Briar Group LLC, which owns bars and restaurants across Boston, has agreed to settle with the MA’s Attorney General. Many took to calling this law “Massachusetts’s data encryption law.” Interestingly enough, this case has nothing to do with encryption (although there are certain practices that would be important when it comes to using corporate encryption software).
Penalty is for $110,000, Plus a Little Extra
The Briar Group — which operates The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar, and The Harp — has decided to settle with Martha Coakley, Massachusetts’s AG:
The judgment, signed on March 28, 2011, by Suffolk Superior Court Judge Giles, requires a payment to the Commonwealth of $110,000 in civil penalties; compliance with Massachusetts data security regulations; compliance with Payment Card Industry Data Security Standards; and the establishment and maintenance of an enhanced computer network security system.[mass.gov]
So, the penalty is actually far more than $110,000, although it could be argued that the Briar Group should have had all the other stuff in place already. Right?
Well, maybe. Interestingly enough the AG’s press release also noted:
Although the data breach occurred prior to the effective date of the Massachusetts data security regulations, the data security standards set forth in the regulations were used in the settlement.
Technically, under the law, the Briar Group didn’t have to have all those security measures because the “data encryption law” went into effect on March 1, 2010 and the Briar’s breach took place between April 2009 and December 2009. Sure, they should have had those security measures in place as a way to deter potential data breaches; however, the law is not retroactive.
On the other hand, good data security ought to be practiced regardless of what the law states.
One of the complaints brought forth by the AG is that the Briar Group used default usernames and passwords (read: factory settings) on its point-of-sale systems (POS, computers that ring up invoices and keeps track of sales and inventory). This is a dangerous practice because default usernames and passwords are always the same. With the number of POS system manufacturers limited to a handful, you’d only have to attempt a very limited number of passwords before breaking into the POS successfully.
Another complaint was that the Briar Group’s employees were allowed to use shared usernames and passwords, which is a variation of the first complaint. Again, it restricts the number of logins, which is bad from a security standpoint (think of it as having a master key that will open the front door, the back door, and the garage door). Plus, it makes it impossible to perform a successful audit if an internal problem is discovered: if ten people share a password and there’s internal fraud, who of the ten is responsible?
Incidentally, the above are true for encryption software when it comes to password management. It’s one of the reasons why AlertBoot prompts a user to change the default password the first time it’s used. This way, the default is never used more than once for each system that is encrypted.
Last but not least, the AG noted that the company kept accepting credit cards and debit cards after it had found that their POS systems were breached. I don’t think I need to explain why this is bad.
The Briar Group released a statement partially denying the AG’s account of the situation:
“We took immediate and aggressive action steps, including: informing the major credit card companies of the potential breach, working with the nation’s leading data security company to identify any weaknesses in our data systems and make system upgrades to further secure customer data and cooperating with a federal investigation into this matter,” the statement said. “We are confident that customers dining at one of our restaurants can safely use their credit cards.” [boston.com]
Related Articles and Sites: