Slashdot Mirror

← Back to Stories (view on slashdot.org)

$110,000 Fine Is First Under MA Data Privacy Law

Posted by timothy on from the good-start dept.

chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."

18 of 97 comments (clear)

  1. money grab by Charliemopps · · Score: 2

    While I applaud the effort to crack down on incompetent business like this... I have to ask... who got the money from the fine? The victims? Doubt it...

    1. Re:money grab by bmo · · Score: 2

      We, as a society, have chosen fines as a reasonable way to penalize businesses that do things the wrong way. It's not about "making someone whole." It's about exacting punishment to make an example for others and to motivate businesses not to do unwanted behavior.

      So, what's your real problem with this? We should expect businesses to not play silly buggers with credit card information. I'm sorry if I don't shed a tear here.

      --
      BMO

    2. Re:money grab by ShakaUVM · · Score: 2

      >>FTFY. If you think the credit card companies pay for fraud, you're crazy. If they actually were having to eat those costs, we might get actual security in this system.

      If merchants verified everything they were supposed to, then the financial institution bears the cost of the fraud.

      http://en.wikipedia.org/wiki/Credit_card_fraud#Merchants

    3. Re:money grab by Darinbob · · Score: 2

      It's a punitive fine. The intent is to hurt enough that the company decides it needs to get on the ball. If the fine is too low then companies in the past have just factored this in as a cost of doing business. Ie, they may feel it's less expensive overall to not pay someone to implement better security.

    4. Re:money grab by gcatullus · · Score: 3, Informative

      As a merchant I deal with credit credit card chargebacks on a regular basis. All a customer has to say is that is not my charge. We have to send back documentation, such as proof of signature. If the charge happened at the credit card readers at our gasoline dispensers, we have no signature, and we eat the charge. We have even offered to provide the customer or issuing bank with the license plate number and picture of person and vehicle charging, but that means nothing. That is why in many locations you need to enter your zip code at a pay at the pump, this offers some security to the merchant, even though by rule the merchant still must eat the charge if the customer balks.

      Now if the merchant goes tits up or goes bad and steals money from the customers credit cards and can't pay it back, then the merchant's processing ISO is on the hook. The processor isn't Visa/Mastercard or the issuing bank, it is someone like First Data or a myriad of other middle men. The processor gets as little as 3 to 6 cents a transaction, passing the interchange cost to the merchant. The merchant has paid anywhere from 50 cents a transaction to 3% for the convenience of letting a customer pay with credit.The issuing banks and the cartel of Visa/Mastercard are on the hook only if the processor goes under. And even then it is the issuing banks that deal with the customer directly and they are the only ones who can decide to credit or not credit the customer.

      The problem with this system in the United States is that the entities that make money off of credit card transactions, i.e. the issuing banks, have absolutely no incentive to make the system more secure. They do none of the work, other than marketing their credit cards and profiting off of their card holders who use their cards and the merchants who accept their cards

  2. 5 year old kids reading this? by Haedrian · · Score: 2

    "essentially, get its *&@! together."

    Yeah, get your special characters together!

  3. The last part is the kicker by winkydink · · Score: 3, Insightful

    Everything here could happen to almost any SMB out there. But to keep taking credit cards _after_ knowing you've been hacked?

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  4. Re:Lesson... by LordNimon · · Score: 4, Insightful

    Why should I? If there are any fraudulent charges, my credit card company will reverse them. Constantly reloading a debit card is a big hassle, and carrying around that much cash with me is unsafe.

    --
    And the men who hold high places must be the ones who start
    To mold a new reality... closer to the heart
  5. Re:Goodbye MA Businesses by postbigbang · · Score: 2

    And good riddance.

    --
    ---- Teach Peace. It's Cheaper Than War.
  6. Way back when, in 1993 I was on trip to Geneva by PolygamousRanchKid+ · · Score: 2

    I was surprised about a half year later, that the hotel sent me a birthday card. I mentioned this to a colleague (a security specialist), who stayed often in the same hotel. I found it amusing, but he told me, "Now imagine that they get new computers, and the old ones are given away . . . with all our private data on it."

    Food for thought . . .

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  7. Re:Lesson... by Ruke · · Score: 4, Insightful

    While it is valuable to keep security in mind, I think that you might be taking it a little over the edge. Despite the fact that identity theft does happen, the rate at which it happens is low enough that the benefit of using credit outweighs the risk of having your identity stolen. Keeping an eye on your bank statements, and immediately contacting your bank in the event that any suspicious charges show up,seems to be much more reasonable strategy for 95% of the population than carrying large amounts of cash.

  8. Re:low fine by Solandri · · Score: 2

    The average ID fraud in 2009 was for over $4000. They had open access to CC details for 8 months! Even the out of pocket expenses per fraud victim is over $600, so if there were 200 victims as a result of this company's lax security, the fine isn't even on par with the individual cost of those affected, which is absurd.

    From TFA, it sounds like the only customer info on the compromised system was credit and debit card numbers. Cardholder liability for fraudulent use of their credit card is limited to $50 by U.S. law. Similarly, Massachusetts law limits cardholder liability for debit cards to $50.

    So by your reasoning, the fine should have been 200*$50 = $10,000. (From reading TFA it sounds like there were a lot more than 200 victims. But I just wanted to make the point that there's a huge difference between credit card theft and identity theft).

  9. Fine was NOT for Breach Law Violation by 517714 · · Score: 4, Informative

    125,000 accounts (account number, cardholder name, expiration date and secure code) were exposed.

    Here are alot more details and the complaint

    Briar Group was ordered to comply with the Data Law, but they were NOT fined under that law which went into effect after the data breach was eliminated. They were fined for violation of Title XV,Chapter93A

    --
    The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
  10. Re:Goodbye MA Businesses by Darinbob · · Score: 2

    No, the victims were the customers of the restaurant chain. The company wasn't fined merely for getting infected. From the article, they attorney general claims they "continued to accept credit and debit cards from customers even after it learned of the breach." That doesn't sound like a victim, instead it sounds like they were actually helping the malware through inaction. Of course the company denies this, so it always comes down to he-said/she-said.

  11. Much better information here .... by gordguide · · Score: 4, Informative

    When I read the article cited in the OP, the first question I had was how many accounts were compromised. Nothing on that in the article. So, I looked at the AG's press release. Not a word about it there, either. That seemed suspicious to me, so a bit more digging revealed this link:

    http://www.massdataprivacylaw.com/data-breach/massachusetts-attorney-general-v-briar-group-llc---data-breach-settlement---the-details/

    ... with such tidbits as the charges were laid by the AG in court on the same day the settlement was announced. Go ahead, check out the link, there's more. Much more.

    Anyway, the number of accounts was an interest to me because I wanted to see exactly what the AG valued a breach at .... in other words, what is a company likely to pay in a fine for negligently giving my CC details away? Turns out the value is about a dollar ... there were 125,000 CC accounts compromised and each compromise included the cardholder's name, CC#, expiry dates and the secure code. In other words, "Jackpot" data.

  12. Re:Lesson... by RajivSLK · · Score: 2

    The term identity theft makes me laugh ever since I heard this: http://www.youtube.com/watch?v=CS9ptA3Ya9E

  13. Re:Is it me or is it odd that it hits a restaurant by magamiako1 · · Score: 2

    Would you rather them ignore smaller businesses just because they're small?

    Your argument makes no sense. Corporations are not *selling* your personal information (as defined by the MA law), so it's not covered. In this case, certain information was compromised (financial details) and that's what they go after.

    It's the first step in the right direction.

  14. Re:Did they use... by GameboyRMH · · Score: 2

    As much as Outlook sucks major ass, is switching from in-house email to hosted email a positive step for privacy and security?

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel