On December 19, the Massachusetts Attorney General announced a $155,000 settlement with a California-based payment processor resolving allegations that the company exposed consumers’ personal information online in violation of consumer protection and data security laws. According to the announcement, the company employees accidently removed password protections from public-facing websites, which exposed consumers’ personal data, such as bank account and social security numbers, addresses, and driver’s license numbers. The Attorney General’s investigation claims that company employees appeared to know of the vulnerability for a year before fixing it. Under the terms of the settlement, the company has agreed to comply with Massachusetts laws and is required to (i) maintain a chief information security officer; (ii) conduct employee training on data security; and (iii) “assess and update information security policies relating to changes to its systems and to external vulnerabilities.”