Mass. AG Fines Retailer for PCI Non-Compliance in Breach

May 2, 2011

The Massachusetts Attorney General’s office recently fined a Boston restaurant operator $110,000 for failing to secure the personal data of its customers. According to legal experts, holding a company legally responsible for protecting data—and especially determining that a violation of PCI-DSS standards constitutes consumer fraud—is unprecedented, but could signal a willingness by Massachusetts courts (and other jurisdictions) to do so. “The Briar Group enforcement action may have broad implications and telegraph the posture of the Massachusetts Attorney General in future data breach cases,” said a client advisory from law firm Edwards, Angell, Palmer and Dodge. “It may also be a harbinger of similar actions pursued in other jurisdictions on like grounds.” The advisory noted that based on the actions in this case, companies involved in security breaches will be expected to react quickly to remove any vulnerability.