A Massachusetts-based restaurant company recently entered into a settlement agreement with the Massachusetts Attorney General to settle claims that the company failed to take reasonable steps to protect the personal information obtained from its patrons through credit and debit card transactions. The Attorney General alleged that because the company failed to implement appropriate basic data security measures on its computer systems, hackers were able to use malware to access the company's computer system and steal the information. The settlement agreement requires that the company implement, maintain, and adhere to a written information security program, review the scope of its security practices at least annually, maintain PCI DSS compliance, and not knowingly store the full contents of the magnetic stripe of a credit or debit card, among other requirements. In addition, the company was required to pay a civil penalty of $110,000.
TIP: Companies doing business in Massachusetts should confirm that they are in compliance with the detailed Massachusetts data security regulation. Having a written program like that required under Massachusetts law can also help to ensure proper security measures under other states whose laws are not as detailed.