The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz