The Massachusetts Attorney General appears to have broken new ground with a recent enforcement action and fine against Briar Group, LLC, a restaurant chain that sustained a security breach exposing credit and debit card data. The papers filed in the case, and a related press release, shed light on the posture taken by the Massachusetts Attorney General in the enforcement of data security obligations, including the use of an alleged failure to comply with the Payment Card Industry Data Security Standards (“PCI-DSS”) as a basis for an enforcement action alleging consumer fraud. The fine levied in the amount of $110,000 and the continuing obligations imposed represent significant sanctions that may be faced by companies with personal information of Massachusetts residents that allegedly is not adequately protected against breach incidents.

History of the case

Briar Group operates restaurant chains with several locations in Massachusetts and elsewhere. The complaint alleged that computer systems used by Briar Group to process credit and debit card transactions for its restaurants were infected by malware that intercepted card data as it was submitted for payment at the various restaurant locations, and transmitted the data to a data thief. Briar Group was allegedly informed of a potential data breach by card processors on October 29, 2009. According to the complaint, a forensics investigator was not engaged until three weeks later and the malware was not removed until December 10, 2009. During this period, Briar Group’s restaurants continued to accept credit and debit cards, even though Briar Group allegedly knew or had reason know that its security had been breached and that the cards of its customers continued to be vulnerable to theft. Ultimately, over 125,000 credit and debit cards were allegedly affected by the breach.

Please click here to review the entire advisory.