Proofpoint: Security, Compliance and the Cloud

Earlier this year, Ken Liao and I presented a webinar on our "Top Ten Privacy Predictions for 2011" and one of those predictions was that we'd see at least one enforcement action under the Massachusetts data protection law (201 CMR 17).

While that predication has not exactly come to pass, today's announcement from the attorney general of Massachusetts shows that the state is extremely serious about enforcing its data privacy laws.

A press release from the Mass AG's office today, "Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley," announces that the restaurant group Briar Group, LLC will pay a $110,000 fine, ensure compliance with Massachusetts data security regualtions, ensure compliance with PCI-DSS and will upgrade their computer security systems.

“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” said Massachusetts attorney general, Marth Coakley in the statement.  “In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

As the Mass AG's press release points out, the data breach at Briar Group happened prior to the effective date of the Massachusetts data security regulations (and, hence, my prediction has not quite come true yet), but the data security standards set forth in those regulations were used in the settlement.

For more info on 201 CMR 17 and other privacy and data protection resources, see the privacy predictions link I mentioned earlier in this post.