Briar Group Forks Over $110K for Failure to Protect Guest Data

The Briar Group, LLC (Briar Group), which owns and operates several popular bars and restaurants in the Boston area, including The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar, and The Harp, entered into a settlement with Attorney General Martha Coakley today resolving allegations that the restaurant chain failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.

 

“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” says AG Coakley. “In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

 

According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers.  The malcode was not removed from the Briar Group’s computers until December 2009. 

 

Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach.

 

The judgment, signed on March 28, 2011, by Suffolk Superior Court Judge Giles, requires a payment to the Commonwealth of $110,000 in civil penalties; compliance with Massachusetts data security regulations; compliance with Payment Card Industry Data Security Standards; and the establishment and maintenance of an enhanced computer network security system.

 

Under the terms of the settlement, all restaurants in the Briar Group Chain must develop a security password management system and implement data security measures to comply with Payment Card Industry Data Security Standards state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.          

 

Although the data breach occurred prior to the effective date of the Massachusetts data security regulations, the data security standards set forth in the regulations were used in the settlement.

 

This matter was handled by Assistant Attorneys General Scott D. Schafer and Shannon Choy-Seymour of the Consumer Protection Division.