Archives: Massachusetts Attorney General

Written by Cynthia J. Larose and Adam Veness

 

Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents.  Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach.  As a result of that data breach, Massachusetts Attorney General Martha Coakley conducted an investigation into the acts and practices of MPI in protecting the personal information of its customers, as defined by G.L. c. 93H, § 1.  Based on her investigation, Coakley alleged that MPI violated G.L. c. 93H et seq., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00 et seq., and the Massachusetts Consumer Protection Act (G.L. c. 93A, § 2) by (a) maintaining personal information on an unencrypted laptop, and (b) failing to follow its own Written Information Security Program, as required by 201 CMR 17.03.

To settle the investigation, MPI entered into an Assurance of Discontinuance with the AG on March 21, 2012.  Pursuant to the Assurance of Discontinuance, MPI has agreed to pay a civil penalty of $15,000, and has further agreed that it will:

  • ensure that personal information is not unnecessarily stored on portable devices, including laptops
  • ensure that all personal information stored on portable devices is properly encrypted;
  • ensure that all portable devices containing personal information are stored in a secure location;
  • effectively train employees on the policies and procedures with respect to maintaining the security of personal information; and
  • perform an audit of its compliance with its Written Information Security Program at least annually.

The Assurance of Discontinuance also requires that, for the years 2012 and 2013, MPI submit the results of its audit to the Attorney General’s office within 14 days of completion.  Given that the audit requirement says “on at least an annual basis,” it is conceivable that the Attorney General’s office could require MPI to conduct additional audits if the results are less than satisfactory.

Interestingly, this settlement has gone unreported by local media.  It is the third breach-related enforcement action by the Massachusetts Attorney General’s office.  In August 2011, the AG reached a settlement with Belmont Savings Bank for $7,500 and in March 2011, the AG reached a settlement with Briar Group, LLC for $110,000.   None of the settlements provide any guidance as to what kinds of reported breaches – or activity that relates to a breach – raise red flags at the Massachusetts AG’s office.    In all cases, however, the data was unencrypted in transit (Briar Group) and at rest (MPI and Belmont Savings).

Important Takeaway

If your business owns, stores, or licenses the personal information of Massachusetts residents, as of March 1, 2010, you must have a written information security program — and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations.   Say what you do and make sure that you do what you say.

Contact a member of the Mintz Levin Privacy team for more information related to compliance with the Massachusetts data protection regulations, and for more information related to the legal requirements for when and how you must notify customers of a data security breach.   We’ve written extensively about compliance with the Massachusetts regulations, here.

 

For further information about the MPI settlement:

Attorney General Press Release

Maloney Properties, Inc. Letter to Affected Customers

 

Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.

The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag.   Despite many headlines trumpeting the “first enforcement action,” this action was not brought by the AG’s office under the Massachusetts data security regulations. It was a consumer protection action brought by the Attorney General under the Massachusetts consumer protection law, 93A. 201 CMR 17.00 certainly played a part in the consent order and the Briar Group is required to implement a written information security plan, and supply a copy to the AG’s office within 14 days of the order.  The standards set out in 201 CMR 17.00 are the framework around which the settlement order is built, but the action was not one to enforce those regulations.   Those are coming.

A copy of the consent order is here –  Briar Signed Consent Judgment – 3-28-11 (3).pdf.

Much has been written and blogged over the last couple of days about the consent order.  But, what should business take away from this?   The retail and hospitality business is particularly vulnerable to data breaches due to the volumes of credit card information that they process every day.   But they are also responsible for dealing with that aspect of their business as a part of doing business.

More after the jump.

Continue Reading Into the Breach – Security Failures Can Cost You