• Print
  • Email this page
  • Bookmark
Search TipsSearch
Search Tips:

1. Search Adjacent Words - Place quotes around the exact keyword phrase you want to search.
Ex: "regulatory environments"

2. Search in Title Only - Type title: and surround the search terms in quotations to specifically search in titles.
Ex: title:"regulatory environments"
close

Client Alerts
Massachusetts Enforces Controversial Data Security Program
April 1, 2011


Massachusetts Enforces Controversial Data Security Program
$110,000 penalty for lax data security practices

In the first enforcement action brought under the new Massachusetts data security regulation (201 CMR 17.00), Briar Group, LLC, a Massachusetts-based restaurant company, recently entered a settlement agreement with the Massachusetts Attorney General arising from deficiencies with the company’s data management practices. Under the terms of the agreement, Briar Group will pay $110,000 and adopt formal measures to protect customers’ personal information.

The Massachusetts regulation requires businesses that own or license personal information about Massachusetts residents (including names, Social Security numbers, and credit card numbers) to adopt and implement a written, comprehensive information security program to protect customer and employee data. Further, businesses that electronically store or transmit such data are required to use technical safeguards and encryption measures consistent with industry standards. These requirements apply to all businesses that maintain data on Massachusetts residents, no matter where the business is located.

In the immediate case, the Massachusetts Attorney General alleged several violations, including that Briar Group failed to periodically change passwords to access its computer systems, stored payment card information in clear text on its servers, failed to comply with Payment Card Industry Data Security Standards, and continued to accept credit and debit cards from customers after the company knew of an ongoing data breach.

This case is of particular significance because it resolves speculation by some that the Massachusetts Attorney General would not aggressively enforce 201 CMR 17.00. Now that the first settlement agreement has been entered, additional enforcement actions may come quickly, including those brought against businesses from outside Massachusetts.

Fish & Richardson is experienced in advising clients on compliance with the Massachusetts data security regulation and other privacy requirements under the law. We can develop a written data security program and data management procedures for your business to avoid fines and other penalties.

Click here to view a recent presentation on compliance with privacy and data protection laws.

For more information, please contact:

Ed Lavergne
Principal
Washington, DC
202-626-6359


© Copyright 2011 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of professional conduct of the jurisdictions in which we practice. The material contained in this newsletter has been gathered by the lawyers at Fish & Richardson P.C. for informational purposes only and is not intended to be legal advice. Transmission is not intended to create and receipt does not establish an attorney-client relationship. Legal advice of any nature should be sought from legal counsel. For more information about Fish & Richardson P.C. and our practices, please visit www.fr.com.
Share |

Related Info

Practices

People

© 2012 Fish & Richardson P.C.