In a February co-post with Baker Hostetler’s Hospitality Lawg, we wrote about security breach reports that continued to show hospitality and restaurant groups as favorite targets of hackers. Two of the factors we cited as explanations for their vulnerability—failure to secure wireless networks and not complying with the Payment Card Industry Data Security Standard (PCI DSS)—appear to have led to a breach that compromised payment card data and cost a Boston restaurant group more than $100,000.
On March 28, a company that owns and operates six Boston restaurants settled a lawsuit filed by Massachusetts Attorney General Martha Coakley, which alleged that the company failed to take reasonable steps to protect its customers’ personal information. Specifically, the lawsuit alleged that the company’s deficient computer security standards allowed an April 2009 breach, which exposed credit card account data of thousands of its customers. The press release from the Massachusetts AG indicates that the breach went undetected for eight months. The deficient security standards alleged in the complaint include: failing to change default usernames and passwords, failing to secure its remote access and wireless network; and continuing to accept credit cards after it learned of the breach.
The judgment requires the restaurant group to: (1) pay $110,000 in civil penalties; (2) comply with the Massachusetts data security regulations (which were not in effect at the time of the breach); (3) comply with PCI DSS; and (4) establish and maintain an enhanced computer security network, including following a written information security program.