A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. 

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements.  Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell. 

The payment card industry has long been leading the charge in protecting personal data. Governments often react to issues rather than regulate proactively, but private industry must try to anticipate problems before they happen. As such, private standards generally are better at protecting personal information than state statutes and regulations. Businesses always must be two steps ahead of identity thieves in order to protect consumer data and thrive in the marketplace; the price of not doing so is high, as Sony and others have learned and continue to learn. Given this, it’s not a surprise the AG looked to PCI DSS as a new legal standard.