$110,000 Fine Is First Under MA Data Privacy Law

chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."

Good.

Maybe businesses will finally start realizing that they need to protect their customers' information with more than a shared password that every frycook is privy to.

That company should move to Texas

In Texas companies are encouraged to poison and steal from their customers.

Malware, Natural Gas Fracking, Pollution

Rick Perry invites you all to use Texas as a dumping ground for the byproducts of corporate greed.

We've even changed our motto to "Mess with Texas"

Re:That company should move to Texas

[theillien]

At one point I submitted the suggestion that they change it to "Messed Up Texas", but no one knew what I was talking about.

Re:That company should move to Texas

Yeah, but you know what we have that Mass. doesn't? Wait for it... jobs. An economy. High standard of living, low personal taxes (no state income tax), a GDP higher than most countries, and no real estate bubble. We'll eventualy fix the broken shit that is our schools and our 'good old boy' government culture, but I hope we don't lose the rest of it in the process.

Massachusetts, on the other hand, is just fucked. But at least nobody will leak your credit card info.

Re:That company should move to Texas

[sumdumgai]

We also have a $27 billion budget deficit, a governor that lives in a rented mansion paid for by the taxpayers, a kangaroo court system, and fundamentalist revised history books. Yay Texas!

Re:That company should move to Texas

All of those (except the budget deficit) fall under 'broken schools' and 'good old boy gov culture', as I said, of which I am convinced we will eventually fix (mostly due to increased awareness). The budget deficit is the more worrying to me - deficits rarely go away, they only seem to get bigger. We either need to figure out what it is the state is paying for that's costing too much for the gain, or look into some kind of taxation / fee based revenue to stem the tide. Or both.

Did they use...

[taktoa]

Norton Antivirus 2003?

Re:Did they use...

Nope it was Antivirus2010
although, it could be McAfee

Re:Did they use...

Are they going to outlaw WindowsXP next? How about Outlook? Disconnect from the Internet?

Re:Did they use...

[taktoa]

Anything that increases Linux market share is nice... besides, Outlook has no place in a business, one could use Gmail (or even a generic webmail) and mitigate the security risk.

Re:Did they use...

[GameboyRMH]

As much as Outlook sucks major ass, is switching from in-house email to hosted email a positive step for privacy and security?

Re:Did they use...

[GameboyRMH]

Look I'm not going to say Linux is perfect. I'm just going to say that if this business was a Linux environment, malware would be a mostly theoretical threat, like your car spontaneously bursting into flames. Sure it could happen, but...you can be pretty sure it's not gonna happen.

Lesson...

[mysidia]

When visiting a bar or restaurant, bring cash.

Or pre-paid debit card you keep with only a small amount loaded on it.

Minimize the use of CCs and checking/loan-account-linked cards

Re:Lesson...

When visiting a bar or restaurant, bring cash.

or grocery stores... seriously, walmart, small chains, large chains. It doesn't matter.

If the point of sale system is maintained by people in the point of sale business.... RUN.
These guys moved into computers from maintaining hardware registers. my grandmother knows more about data security than most of them.

The worst part is when they do accidentally hire a computer specialist, they fire them for not "getting it", then get the government/major POS software vendor to throw the book at you for being an "unlicenced/unsupported/competent" support vendor....

YAY.

Re:Lesson...

Why would I go through all that trouble to protect my bank's liability? My money is not at risk of credit card fraud. The banks have lost several thousand dollars due to poor security that resulted in my accounts being compromised previously. I continue to not take any additional effort towards security when a picture of a piece of plastic is all that's necessary to steal money from them... not my problem.

Re:Lesson...

[LordNimon]

Why should I? If there are any fraudulent charges, my credit card company will reverse them. Constantly reloading a debit card is a big hassle, and carrying around that much cash with me is unsafe.

Re:Lesson...

[Ruke]

While it is valuable to keep security in mind, I think that you might be taking it a little over the edge. Despite the fact that identity theft does happen, the rate at which it happens is low enough that the benefit of using credit outweighs the risk of having your identity stolen. Keeping an eye on your bank statements, and immediately contacting your bank in the event that any suspicious charges show up,seems to be much more reasonable strategy for 95% of the population than carrying large amounts of cash.

Re:Lesson...

[couchslug]

That way your tips have better odds of going to your server.
Nothing wrong with cash at all.

Re:Lesson...

[cloudmaster]

Depends on the restaurant; some place have each server log in and take the cards so the tip definitely goes to the right place - and their taxes are easier. Other places, where they just have the cheap card reader separate from the register, may not get stuff properly distributed.

Re:Lesson...

[hldn]

implying i leave tips.

Re:Lesson...

[Miseph]

You seem to be under the impression that cash tips are generally logged properly such that taxes can be properly paid.

That's adorable.

Speaking of which... good news! The Easter Bunny is coming in just a few more days! Get ready for candy!

Re:Lesson...

[cloudmaster]

I meant easier for the government. I pay taxes on /my/ income, so I'll be damned if I'm gonna leave cash for a waiter just so he can cheat on his. Waiters can just learn to cheat their taxes through abusing the complex tax code like the rest of us.

Re:Lesson...

[mysidia]

You seem to be under the impression that cash tips are generally logged properly such that taxes can be properly paid.

Failing to log and properly report the tip income is a crime (tax fraud), and unethical. I believe tips are generally logged properly. If you find reason to believe you have found some organization or person who is an exception, to logging tips properly, file IRS form 3949-A, with the appropriate information.

The law and the stiff penalties for intentionally disobeying it or negligently failing to keep the required records should be enough to ensure people log and report their tips properly. The IRS also has some special rules for food establishments.

As an employer, you must ensure that the total tip income reported to you during any pay period is, at a minimum, equal to 8% of your total receipts for that period..
When the total reported to you is less than 8%, you must allocate the difference between the actual tip income reported and 8% of gross receipts.

Re:Lesson...

[RajivSLK]

The term identity theft makes me laugh ever since I heard this: http://www.youtube.com/watch?v=CS9ptA3Ya9E

Re:Lesson...

[GameboyRMH]

Minimize the use of CCs and checking/loan-account-linked cards

Also a good idea because you probably have a Visa or Mastercard, in which case using your credit card is like donating to Satan. But a real Satan, who is less metal and more politically influential.

Re:Lesson...

[Jim_Maryland]

My wife worked at a number of restaurants where amazingly the claimed tips by servers always hit the 8% mark, nothing more, nothing less. The justification made by her coworkers was that some nights they make less than the 8% so averaging it out was "OK" to them. I always try to pay my meals & tip using a card, that way I'm fairly confident the tips are being captured accurately for both taxes and the shared tips (table bus staff, cooks, prep staff, etc... that may be due a share based on restaurant policy).

Re:Lesson...

[mysidia]

My wife worked at a number of restaurants where amazingly the claimed tips by servers always hit the 8% mark, nothing more, nothing less. The justification made by her coworkers was that some nights they make less than the 8% so averaging it out was "OK" to them.

Well, that's interesting... But then again, they can rationalize why they break the law all they want,

doesn't make it legal. Workers who receive tips are not allowed to "guess" at the amount of tips, the reporting standard required is the exact amount.

But I expect if they keep that pattern up, they'll eventually be audited anyways, possibly charged with fraudulent reporting. It's just a question of the IRS trying to fry the bigger fish first.

Re:Lesson...

[Miseph]

If I'm going to start busting on tax evaders, I'll dig up dirt on people who already make more than they could spend anyway, the ones with no good excuses or reasons.

My friends and former coworkers taking shifts waiting tables to make ends meet... nope, they're good.

low fine

[c_jonescc]

The average ID fraud in 2009 was for over $4000. They had open access to CC details for 8 months! Even the out of pocket expenses per fraud victim is over $600, so if there were 200 victims as a result of this company's lax security, the fine isn't even on par with the individual cost of those affected, which is absurd.

Though, TFA is obscenely light on detail, so it's possible that their security issue actually caused no individual harm and only led to the possibility of harm having occurred. I suspect though that if you're the victim if ID fraud it is impossible to find the one bar (in this case) where your problems nucleated.

Source for numbers: https://www.infosecisland.com/blogview/11823-Identity-Fraud-Cases-and-Costs-Plummeted-Last-Year.html

Re:low fine

[Solandri]

The average ID fraud in 2009 was for over $4000. They had open access to CC details for 8 months! Even the out of pocket expenses per fraud victim is over $600, so if there were 200 victims as a result of this company's lax security, the fine isn't even on par with the individual cost of those affected, which is absurd.

From TFA, it sounds like the only customer info on the compromised system was credit and debit card numbers. Cardholder liability for fraudulent use of their credit card is limited to $50 by U.S. law. Similarly, Massachusetts law limits cardholder liability for debit cards to $50.

So by your reasoning, the fine should have been 200*$50 = $10,000. (From reading TFA it sounds like there were a lot more than 200 victims. But I just wanted to make the point that there's a huge difference between credit card theft and identity theft).

money grab

[Charliemopps]

While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

Re:money grab

[ProfM]

In addition, since this is a restaurant, the profit margins are typically thin. A $110,000 fine could be enough to put them under.

Re:money grab

[ShakaUVM]

>>While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

Anyone that can claim damages from this breech should probably get compensated.

Though most of the time, you just tell your credit card company certain charges are invalid, and they waive them.

Credit card companies don't take 2% of every bill for nothing, you know.

Re:money grab

[bmo]

We, as a society, have chosen fines as a reasonable way to penalize businesses that do things the wrong way. It's not about "making someone whole." It's about exacting punishment to make an example for others and to motivate businesses not to do unwanted behavior.

So, what's your real problem with this? We should expect businesses to not play silly buggers with credit card information. I'm sorry if I don't shed a tear here.

--
BMO

Re:money grab

[LordNimon]

So? Negligence with customer data is a serious offense. If they do go under, they'll be held up as a warning to others.

Re:money grab

It's a group of restaurants, that are in some pretty nice locations (http://www.briar-group.com/venues/index.htm).
They should have the cash to pay the fine, but the damage to their reputation from being lax with the customers information may be what puts them under.

Re:money grab

[similar_name]

While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

Generally they would get their money back through their credit card companies or banks. I don't have a problem with the money going into the government like most fines which are punitive in nature.

Re:money grab

[compro01]

Though most of the time, you just tell your credit card company certain charges are invalid, and they grab the money from the merchant, which may then get passed to business insurance, if they're lucky

FTFY. If you think the credit card companies pay for fraud, you're crazy. If they actually were having to eat those costs, we might get actual security in this system.

Re:money grab

[ShakaUVM]

>>FTFY. If you think the credit card companies pay for fraud, you're crazy. If they actually were having to eat those costs, we might get actual security in this system.

If merchants verified everything they were supposed to, then the financial institution bears the cost of the fraud.

http://en.wikipedia.org/wiki/Credit_card_fraud#Merchants

Re:money grab

[Darinbob]

It's a punitive fine. The intent is to hurt enough that the company decides it needs to get on the ball. If the fine is too low then companies in the past have just factored this in as a cost of doing business. Ie, they may feel it's less expensive overall to not pay someone to implement better security.

Re:money grab

[gcatullus]

As a merchant I deal with credit credit card chargebacks on a regular basis. All a customer has to say is that is not my charge. We have to send back documentation, such as proof of signature. If the charge happened at the credit card readers at our gasoline dispensers, we have no signature, and we eat the charge. We have even offered to provide the customer or issuing bank with the license plate number and picture of person and vehicle charging, but that means nothing. That is why in many locations you need to enter your zip code at a pay at the pump, this offers some security to the merchant, even though by rule the merchant still must eat the charge if the customer balks.

Now if the merchant goes tits up or goes bad and steals money from the customers credit cards and can't pay it back, then the merchant's processing ISO is on the hook. The processor isn't Visa/Mastercard or the issuing bank, it is someone like First Data or a myriad of other middle men. The processor gets as little as 3 to 6 cents a transaction, passing the interchange cost to the merchant. The merchant has paid anywhere from 50 cents a transaction to 3% for the convenience of letting a customer pay with credit.The issuing banks and the cartel of Visa/Mastercard are on the hook only if the processor goes under. And even then it is the issuing banks that deal with the customer directly and they are the only ones who can decide to credit or not credit the customer.

The problem with this system in the United States is that the entities that make money off of credit card transactions, i.e. the issuing banks, have absolutely no incentive to make the system more secure. They do none of the work, other than marketing their credit cards and profiting off of their card holders who use their cards and the merchants who accept their cards

Re:money grab

[ShakaUVM]

Fascinating, thanks.

Makes a little more sense why we have to put up with that Verified By Visa crap.

Re:money grab

[Silverlock]

While I agree that credit card fraud is getting worse and we need to do something, I object to the immediate demonization of the restaurants as 'incompetent'. In this case, the restaurant group is a larger group with more money to play with, but what about single mom-and-pop restaurants? They may be extremely competent at running a restaurant..

Is it reasonable to suggest that every restaurant or store that takes credit cards must be run by certified network security geeks? No. The reason this is happening is that Visa and Mastercard hold all the cards (no pun intended). They can decide that they are not responsible for anything and who is going to tell them otherwise? Grandma of Grandma's Diner is going to understand the technical issues involved and take Visa down in court? Right.

Re:money grab

[Aldenissin]

It doesn't really matter who pays, as the cost will be passed onto the customer in the end. The only way to ensure that on the credit card companies is either A. higher processes fees, or B. make the merchant accountable in reality for the most part on fraud. They are smart enough to "hold" the money, so it shouldn't be a surprise that it is both ways.

What is that fine money being used for?

[dmomo]

Certainly it doesn't go to the people whose information was handled poorly. Are they even contacted?

I LOVE THIS :) :) :)

I work in the security software business. Laws like this keep me employed. I usually believe laws are bad, but KUDOS to MA for getting the companies who operate in their jurisdiction to care. Even if they are fearful of fines.

Re:I LOVE THIS :) :) :)

Wait until one of your clients sues your company for not catching something and they in turn get slammed by this law.

5 year old kids reading this?

[Haedrian]

"essentially, get its *&@! together."

Yeah, get your special characters together!

Re:5 year old kids reading this?

[Qzukk]

Previously their password was password. Now they'll need at least one special character, so it'll be password!

Re:5 year old kids reading this?

[DavidD_CA]

Maybe if special characters were used in the firstplace, the systems wouldn't have been so easily hacked. ;)

Re:5 year old kids reading this?

Sounds like it wasn't 'hacked' - it was malware most likely downloaded from the internet.

Goodbye MA Businesses

[Randall311]

I applaud the steps Massachusetts is taking to protect people's personal data, but at some point the fines and fees incurred by businesses here in Massachusetts will be enough to convince them to pack up and move to neighboring states where they can be more profitable. Our governor Deval will claim to have been "blindsided" by this Mass Exodus (pun intended).

Re:Goodbye MA Businesses

[postbigbang]

And good riddance.

Re:Goodbye MA Businesses

No kidding. There's a lesson to be learned here, and it isn't "secure your systems" it's "never do business in Massachusetts."

There's no way a small business will be able to afford the type of security required to keep hackers off their systems. And the lesson here is "if you get hacked in Massachusetts, just go out of business, you're fucked."

Re:Goodbye MA Businesses

[amanicdroid]

and if you expect your man to help you around the house, he's going to find another less-nagging woman. Thanks for the business and relationship advice Good Housekeeping 1957.

Re:Goodbye MA Businesses

Its pretty tough to move a restaurant. Supply and demand will keep restaurants in Massachusetts.

Re:Goodbye MA Businesses

[KhabaLox]

There's no way a small business will be able to afford the type of security required to keep hackers off their systems

Really? I understand that anti-malware security is somewhat esoteric to the lay-user still, but any business collecting CC details and payments should have the money to invest in either A) a payment service that takes care of securing customer data for them or B) an IT consultant to install free software on their system and give the owner a few hours of training in using and maintaining it.

Re:Goodbye MA Businesses

[fuzzyfuzzyfungus]

Is there any flavor of malfeasance or negligence that we should punish, or do we have to live in constant terror of our precious businesses taking their ball and going home no matter what?

Re:Goodbye MA Businesses

Massachusetts is too good a market for something like this to drive a multi-restaurant chain out of the state. Do you think they will make more money in Vermont, New Hampshire, Rhode Island or upstate CT or NY? I'll take Back Bay, Beacon Hill or even the North End over almost any location in any of those states. The marketplace is the ultimate determinant, and all this BS about taxes driving business away is just crapola...it's an oh-so-small factor that hardly ever will actually drive someone out...it's usually just an excuse for lazy or poor management practices which cause a business to lose position.

Re:Goodbye MA Businesses

[bmo]

>Is there any flavor of malfeasance or negligence that we should punish?

According to the randroid trolls on this topic, none.

--
BMO

Re:Goodbye MA Businesses

How about the people attacking the computer systems? This is punishing someone for getting infected. It's literally punishing the victim.

It's the equivalent of getting a fine for not having a strong enough door when your house is broken into. It would be like fining a rape victim for having a skirt that was "too short."

Malware is going to get onto computer systems. No amount of "security software" is going to prevent that.

What this law says is that either you get very lucky and never get infected, or you get a giant fine that puts you out of business.

Not to mention the privacy concerns this law raises. Basically, it says that you must always get contact information for every single customer you ever have and then never delete that information so you can tell them if your computer systems get infected.

So, yes, someone should be punished for malware: the malware authors, not the victims.

Re:Goodbye MA Businesses

I bet you live and work in Massachusetts.

So many Tea Party/talk radio fans whine about living in Massachusetts. Why don't "y'all" go elsewhere, to one of your rural paradises? "Well, I kinda sorta plan to ten years down the road, but for now there's a lot of good paying jobs in this area because companies are attracted by the college graduates and the big city amenities of Boston." Oh.

Re:Goodbye MA Businesses

[yuna49]

Not to mention those businesses are supposed to abide by the Payment Card Industry Data Security Standard. One of my clients gets an email warning him about this from his payments processor every month or two.

Re:Goodbye MA Businesses

[Darinbob]

$110K seems a reasonable fine for a business of that size. Make the fine lower and they'll shrug it off. A fine has to hurt a little to be worthwhile. And it's a restaurant chain, what are they going to do move to Pennsylvania and hope the Boston residents make the drive? This doesn't fall into the area of government oppression and the jobs aren't going to vanish.

Re:Goodbye MA Businesses

[Darinbob]

No, the victims were the customers of the restaurant chain. The company wasn't fined merely for getting infected. From the article, they attorney general claims they "continued to accept credit and debit cards from customers even after it learned of the breach." That doesn't sound like a victim, instead it sounds like they were actually helping the malware through inaction. Of course the company denies this, so it always comes down to he-said/she-said.

Re:Goodbye MA Businesses

[ktappe]

I applaud the steps Massachusetts is taking to protect people's personal data, but at some point the fines and fees incurred by businesses here in Massachusetts will be enough to convince them to pack up and move to neighboring states where they can be more profitable. Our governor Deval will claim to have been "blindsided" by this Mass Exodus (pun intended).

It was only a matter of minutes until a pro-business shill like you came along to claim that this move was somehow wrong. There was NOTHING WHATSOEVER wrong with the government's move here. If anything the damages were too low, for this was a case of protracted and blatant data insecurity that greatly endangered the financial well being of all their customers. Punishing this type of behavior is way WAY more important than protecting your precious business base.

Re:Goodbye MA Businesses

[ktappe]

It's the equivalent of getting a fine for not having a strong enough door when your house is broken into.

Bad analogy. There was business taking place here--where are the financial transactions in your analogy? Further, there was knowledge of a break-in but no action taken.

A much better analogy would be if one of those self-storage outfits noticed that several of their clients lockers/units had been breached but did/said nothing while nightly looting of those units occurred. In fact, they continued to collect the monthly rent on those units.

Re:Goodbye MA Businesses

[SunTzuWarmaster]

And then only businesses that obey the law will be left!

The last part is the kicker

[winkydink]

Everything here could happen to almost any SMB out there. But to keep taking credit cards _after_ knowing you've been hacked?

Re:The last part is the kicker

[PraiseBob]

The chance of getting fined is a possible loss of revenue. Not taking credit cards is a definite loss of revenue. Not taking credit cards for a couple of weeks while you replace / reformat all machines in the company that could be hiding malware would cost far more than $110k.

Punishing the victim?

The government has been abdicating its responsibility to actually investigate fraud and thefts done via computer... the bulk of such crimes are possible to investigate via normal means.. ie follow the money trail and do a little surveillance work.

Putting the burden on individuals and small businesses to conduct police work, seems this is a lot like punishing the victim.

Re:Punishing the victim?

[BitterOak]

I would agree with you except for the part about the restaurant continuing to process and store credit card information even *after* they knew of the breach and before they fixed it.

Way back when, in 1993 I was on trip to Geneva

[PolygamousRanchKid+]

I was surprised about a half year later, that the hotel sent me a birthday card. I mentioned this to a colleague (a security specialist), who stayed often in the same hotel. I found it amusing, but he told me, "Now imagine that they get new computers, and the old ones are given away . . . with all our private data on it."

Food for thought . . .

martha coakly is a dumb cunt

Considering her track record, I have a hard time thinking this was a good thing.

Driving bad behavior?

[nonregistered]

Why wouldn't the company just hide the data breach? There wouldn't be that many people in the company that would know about it. Easy enough to keep a lid on it. That's what control fraud is for, anyway.

Re:Driving bad behavior?

[gcatullus]

They can't because of the PCI standards, you are required to have a secure system scan for crap etc now to be allowed to processor cards. Now not all processors are enforcing the standards some are just collecting a "non-compliance" fee every month. In addition, the issuing banks can correlate stolen credit card numbers with the merchant that they were last used properly at.

Inside Job?

I would guess it was an inside job and they had less of an incentive to act on the issue.

Hopefully this will now address that sort of problem.

Re:Inside Job?

[Push+Latency]

Doesn't this encourage the unsavory to simply infect a competitor's computer system?

Stop buying music!

[Marrow]

It only serves to destroy what really matters to you.

Re:Stop buying music!

[Marrow]

rats, wrong thread

Small fry

[c0lo]

So, they started with small fry... Long way to go, then.

Fine was NOT for Breach Law Violation

[517714]

125,000 accounts (account number, cardholder name, expiration date and secure code) were exposed.

Here are alot more details and the complaint

Briar Group was ordered to comply with the Data Law, but they were NOT fined under that law which went into effect after the data breach was eliminated. They were fined for violation of Title XV,Chapter93A

Re:Fine was NOT for Breach Law Violation

They were fined for violation of Title XV,Chapter93A [malegislature.gov]

I've just been sitting here for 30 seconds trying to figure out what a "male gislature" is. I guess it's either too early or too late, and I need more coffee...

Looks like the restaurant chain ...

[Weirsbaski]

just got served,

Small in what context?

[brunes69]

We are talking about a regional restaurant chain, not a billion dollar corporation. I can't find any financials, but the website for the company says they have a grand total of 7 locations.

$110,000 is likely a very large fine for this company.

Re:Small in what context?

[c_jonescc]

Small in that it's less than the damage they likely caused through negligence.

Re:Small in what context?

Fines are not restitution

*&@!_?

[md65536]

What does the phrase "get its fuck together" mean?

Interesting...

[rsilvergun]

Anyone know anywhere else that has similar laws? I'm in Arizona, and I can't imagine we have this sort of thing (mostly weak consumer protection). I know California has pretty strict data breach laws, requiring you notify everyone that could be affected.

Much better information here ....

[gordguide]

When I read the article cited in the OP, the first question I had was how many accounts were compromised. Nothing on that in the article. So, I looked at the AG's press release. Not a word about it there, either. That seemed suspicious to me, so a bit more digging revealed this link:

http://www.massdataprivacylaw.com/data-breach/massachusetts-attorney-general-v-briar-group-llc---data-breach-settlement---the-details/

... with such tidbits as the charges were laid by the AG in court on the same day the settlement was announced. Go ahead, check out the link, there's more. Much more.

Anyway, the number of accounts was an interest to me because I wanted to see exactly what the AG valued a breach at .... in other words, what is a company likely to pay in a fine for negligently giving my CC details away? Turns out the value is about a dollar ... there were 125,000 CC accounts compromised and each compromise included the cardholder's name, CC#, expiry dates and the secure code. In other words, "Jackpot" data.

Re:Much better information here ....

I know with our PCI audits we were told to expect close to $250,000 minimum for a breach involving credit cards. While I'm not looking forward to making more money for those company, it sounds like their deterants may be stronger.

Ah, a liberterian I see

[rsilvergun]

"I usually believe laws are bad"... unless they directly benefit me. Then they're Grrreat!

Sorry, I'm a bitter socialist :)

Is it me or is it odd that it hits a restaurant?

[Opportunist]

A restaurant? C'mon, can you get any smaller when targeting a business? Anyone else here thinking we're getting a scapegoat as a "look, we do something about your privacy concerns" showpiece?

Wake me when a corporation gets slapped for selling my info. 'til then, nothing to see here.

Re:Is it me or is it odd that it hits a restaurant

[magamiako1]

Would you rather them ignore smaller businesses just because they're small?

Your argument makes no sense. Corporations are not *selling* your personal information (as defined by the MA law), so it's not covered. In this case, certain information was compromised (financial details) and that's what they go after.

It's the first step in the right direction.

Don't forget TJX was in MA

Remember that in 2006 TJX lost +40 million customer records, and they're based in MA. Maybe they have a point with that law, even if it does seem a bit late.