Home > Property & Casualty > Lessons learned from Briar Group data breach settlement with Mass AG

Lessons learned from Briar Group data breach settlement with Mass AG

Much has been written about the recent settlement by the Massachusetts Attorney General with the Briar Group in connection with a significant data breach that occurred in 2009. Some of the early postings are very helpful (see links below), some have important mistakes, but I haven’t yet seen any that address a key insurance issue raised by the matter.

The Facts

Some of the basic information, as gleaned primarily from the complaint filed by the Massachusetts Attorney General, is as follows:

  • The Briar Group, LLC owns and operates several bars and restaurants in the Boston area.
  • In April 2009, hackers breached Briar Group’s network security and installed malicious code on its computer systems.
  • This malicious software may have enabled the hackers to extract customers’ credit and debit card information.
  • In mid-October 2009, a European payment card processor noticed possible fraudulent activity relating to several credit and debit card accounts that had last been used legitimately at bars and restaurants owned by Briar Group.
  • This payment card processor notified Visa and MasterCard of the fraudulent card activity.
  • Visa notified the acquiring bank of the breach. The acquiring bank is the institution that had contracted with Briar Group to accept credit and debit cards as payment for goods and services provided by Briar Group to its customers, and to pay Briar Group subject to applicable charges.
  • The acquiring bank notified the firm that managed its payment card transactions with Briar Group and other merchants, and that firm subsequently notified Briar Group of the data breach at the end of October 2009.
  • At the beginning of November 2009, the president of the Briar Group said in an email that he wanted to do the right thing but did not want to pay for an investigation that could somehow be avoided. This issue became moot when Visa required Briar Group to engage a Qualified Incident Response Assessor to conduct a forensic investigation of the breach. This investigation began in mid-November. The malicious code was removed from Briar Group’s computer systems on December 10, 2009.
  • For six weeks – from the date it was informed of the breach until the date the malicious code was removed – Briar Group continued to accept credit and debit cards from its customers but did not inform them of the data breach.

The Massachusetts Attorney General’s complaint highlighted what the AG considered to be the Briar Group’s lax data security risk management practices.  These included the following:

  • the Briar Group didn’t change the default usernames and passwords on its point-of-sale computer system;
  • it allowed employees to share commons usernames and passwords;
  • it didn’t properly secure its remote access utilities and wireless network; and
  • it continued to accept credit and debit cards from customers after it learned of the data breach.

The Settlement

The consent judgment requires a payment to Massachusetts of $110,000 in civil penalties; compliance with Payment Card Industry Data Security Standards (PCI DSS); and the establishment and maintenance of an improved computer network security system; and compliance with Massachusetts data security regulations;.

Although the data breach occurred prior to the effective date of the Massachusetts data security regulations, the data security standards set forth in the regulations were used in the settlement.

Some have stated that the Briar Group’s $110,000 settlement represents the first penalty under Massachusetts’ stringent data security regulations that became effective in 2010.  This is incorrect; the regulations were not in place at the time of the breach. The Briar Group was instead charged with unfair and deceptive conduct under Massachusetts’ consumer protection law. While the $110,000 settlement figure has struck some as quite modest under the circumstances surrounding the breach, it is worth remembering that the Briar Group surely incurred substantial legal and forensic expenses as well.

Lessons Learned From Mistakes of Others

Edwards Angell Palmer & Dodge has issued a helpful Client Advisory discussing how the Massachusetts Attorney General’s approach in the Briar Group situation may presage a new avenue for government enforcement actions in data breach matters. Click here to read the Client Advisory.

The Briar Group’s security and data privacy mistakes provide useful due diligence guidance for other companies. A thoughtful and thorough post by Cynthia Larose of Mintz Levin discusses the questions that companies should ask themselves when they review their data security practices. Click here to read her post.

It is always preferable for companies to be able to review and update their data security practices based on information gleaned from the tribulations of others, rather than absorbing the “lessons learned” from their own breaches. Enhanced preparedness may not be sufficient to prevent a breach — the number of breaches and of targeted companies and industries keeps growing — but it can do much to reduce the aggregate cost of dealing with a breach. Companies should periodically review and update their data security practices and seek the counsel of their advisors.  In the long run such diligence is likely to be much less expensive than are the financial, operational and opportunity costs that companies will incur in dealing with virtually any and all data security breaches.

Bonus Question: Why Would Many Privacy/Data Security Insurance Policies Not Cover This Claim?

There are, unfortunately, several reasons why data security breaches with fact patterns similar to the Briar Group situation might not be covered, in whole or at least in substantial part, by many of the most popular privacy insurance policies now in the marketplace. Some of the coverage bans might be based on the insured company’s behavior, while others could be based on the nature of the claim — yet most or all of these potential coverage problems could very likely be avoided through careful negotiations when a policy is purchased. How many of these potential coverage problems can you identify?

Send your answers to this question to John Doernberg at jdoernberg@wgains.com.

Connect with John Doernberg on LinkedIn.

Shareshare on linkedin twitter Share on Email

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s