The Briar Group, which operates several restaurants in the Boston area, has agreed to pay $110,000 to settle allegations by the Massachusetts Attorney General's office that it failed to take reasonable steps to protect credit card data belonging to tens of thousands of customers.
Under terms of the settlement, announced Monday, the Briar Group also agreed to implement a strong password management system at each of its restaurants and to comply with the Payment Card Industry Data Security Standard.
The settlement relates to an incident that began in April 2009 when intruders broke into a Briar Group computer and installed malware designed to steal credit and debit card data. According to a lawsuit filed in Suffolk Superior Court by Attorney General Martha Coakley, the malicious software wasn't removed in Dec. 2009.
During the intervening months, the company continued to accept credit and debit card payments even after it learned of the breach, the attorney general's office contended.
Coakley's office alleged that the compromise stemmed from The Briar Group's failure to take adequate steps to protect card holder data.
The state office noted that The Briar Group used default usernames and passwords on its point-of-sale systems and allowed multiple employees to use common usernames and passwords.
The complaint also alleged that The Briar Group failed to properly secure its wireless network and remote access to its systems.
The action against The Briar Group is one of the first to be announced since a tough Massachusetts data protection law went into effect last March.
The law download PDF, which is regarded by experts as one of the strictest in the nation, requires all entities doing business in Massachusetts to implement specific controls for protecting customer data.
The law requires that companies encrypt all sensitive personal information of Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media like memory sticks and DVDs.
The rule also mandates encryption for personal information transmitted over a wireless or public network.
In addition, companies are required to limit the amount of personal data they collect and need to ensure that they have adequate controls for protecting access to it.
The security requirements the company must implement under the settlement are based on the state's data protection rules, Coakley's office said.
In a statement emailed to Computerworld, The Briar Group said it "firmly" disagrees with some assertions made by the AG's office. "In particular, The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach," the statement said.
Sign up for CIO Asia eNewsletters.