I have a natural passion for keeping people safe and secure as many of you know. I also have a real passion for technology law which might be evidenced by the doctoral pursuit in law. I also follow the news looking for cases that have been adjudicated and what the verdict or in most cases, what the settlements look like. Part of this comes from being tuned into case law in school, but also my day job as Chief Information Security Officer compels me to stay ahead of the threatscape. A news article came out this week that is particularly interesting and I’ll explain why.
Massachusetts levies data breach fines against restaurant group
Massachusetts levied its first data security data breach fine against the ownership group of several Boston area taverns in a settlement that forces the organization to pay $110,000 for failing to secure its patrons’ personal information. ($110,000 is all! What a bargain to the retailer. There is gross negligence here and numerous victims. It is a shame that the government has declared this to be their “first data security breach fine” when commerce fraud has been occurring for many years. There is a conflict of interest here if you begin to analyze the issue. First, we have a need for “Job Creation” and crushing employers damages that concept. Second, there are consumer protections in place and they must be protected. So this particular scenario is the virtual “beads for the natives” to me. You slap the offending retailer for their gross negligence and in doing so; you are “protecting” the consumer. This is watered down just like the light beer they serve. Governments and private companies are typically slow to make changes and it is only after the long process of adjudication does the private citizen make changes for themselves it seems.)
The lawsuit also alleges that the Briar Group used default usernames and passwords on its point-of-sale system, making it easier for outside attackers to gain access to the sensitive data. In addition, the restaurant group allegedly let multiple employees share common usernames and passwords to access the system and it failed to secure its remote access and wireless network. The organization continued to accept credit and debit cards from consumers after it knew of the data breach. (Security 101 here! A person would have no survival skills here and be subject to natural selection if they think free love networks, shared accounts and default passwords are acceptable. Geeks have a word for this and it is “TechTard.” Would you leave your doors unlocked for anyone to come and go as they please? Would you hand out copies of your keys to anyone that you invite over to the house? Would you allow strangers to rummage through your file cabinet or underwear drawer? Hell No! This just speaks to gross negligence to me and must be adjudicated further.)
Here is a link to the actual report: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1529350,00.html
Some interesting facts are:
- “Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” – Martha Coakley, Attorney General, Massachusetts (Release the hounds! Not like I think that will happen but it will probably continue to resemble the slow reactive posture taken by the government.)
- “In addition to the civil penalty, the organization must comply with Payment Card Industry Data Security Standards (PCI DSS and establish and maintain “an enhanced computer network security system.”(The fundamental problem here is that anyone engaged in the processing of credit and debit transactions are already required to comply with the PCI standards. The issue is in the enforcement of those standards. There are so many retailers out there who ignore the standard and the folks who enforce PCI are not in a really good position to enforce the standards. The government does not concern itself intimately with PCI because it is an industry driven standard and not legislation. Chances are, when you swipe the plastic, you are subjecting your identity to a “security crap shoot” and it teeters on encountering the wrong employee or war-driving intruder. The average cost in damages to consumers is $1,500 and to retailers it is $204! In my mind, there is a class-action law suit brewing here that will put more serious mandates on consumer protections than exist today.)
It will be interesting to see if consumers affected by this beer breach are placated or if some independent litigation will emerge. What would your outlook be under the circumstances?