Massachusetts Attorney General Enforcement Action: Data Breach, the Massachusetts Privacy Regulation and the Payment Card Industry Data Security Standard (PCI DSS)

Melissa J. Krasnow, Dorsey & Whitney LLP

In March 2011, a Final Judgment by Consent was issued in Massachusetts v. Briar Group, LLC, which involves a 2009 Massachusetts data breach and implicates the Massachusetts privacy regulation and the Payment Card Industry Data Security Standard (“PCI DSS”).1

The Massachusetts privacy regulation applies to a person or entity that owns or licenses personal information about a Massachusetts resident, meaning their first and last name or first initial and last name in combination with a (i) Social Security Number, (ii) driver’s license or state‐issued identification card number or (iii) financial account number or credit card or debit card number. Such person or entity must implement and maintain a comprehensive, written information security program. The MassachusettsAttorney General enforces the Massachusetts privacy regulation. The deadline for compliance with the Massachusetts privacy regulation was March 1, 2010.2

The Payment Card Industry Security Standards Council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) sets and enforces PCI DSS, which contains requirements for a secure payments environment framework for any business that stores, processes or transmits payment cardholder data. For example, a business that accepts or processes payment cards must comply with PCI DSS. Interestingly, the following three states have laws addressing compliance with PCI DSS – Minnesota (which is based on, but does not specifically reference, PCI DSS) and Nevada and Washington (which each specifically reference PCI DSS).3

The Briar Group, a Boston restaurant chain owner and operator, reported a data breach to the Massachusetts Attorney General on or around November 24, 2009. In April 2009, the Briar Group experienced a data breach when malcode was installed on its computer systems and allowed hackers access to customers’ credit card and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.

The Briar Group entered into an agreement to resolve the alleged claims of the Massachusetts Attorney General that the Briar Group engaged in unfair or deceptive acts or practices in violation of the Massachusetts consumer protection law by accepting credit card and debit cards from consumers for transactions at their restaurants but failing to protect their personal information.4 Hackers using malware were possibly able to gain access the computer system of the Briar Group and extract cus-tomer credit card and debit card information due to the failure of the Briar Group to implement basic data security measures.

Specifically, this included (i) failing to comply with PCI DSS, (ii) failing to change default user names and passwords on its Micros Point of Sale computer system, (iii) failing to change passwords in its computer network for more than five years, (iv) allowing multiple employees to share common usernames and passwords, (v) failing to modify passwords after employee termination or resignation, (vi) failing to adequately control the number of employees with administrative access to the Briar Group’s computer network, (vii) failing to properly secure remote access utilities and wireless network, (viii) continuing to accept consumer credit cards and debit cards when the Briar Group knew of a data breach and failing to alert its patrons to the data breach while malcode remained on its computer system and (ix) storing payment card information in clear text on its servers.

The Briar Group agreed to (i) comply with and verify its compliance with PCI DSS with the Massachusetts Attorney General’s Office, (ii) not knowingly maintain on its network after the authorization process the full contents of the magnetic stripe of a credit card or debit card, or of any single track of such stripe, or the CVC2/CVV2/CID of any such card or the PIN or PIN block of any such card, (iii) implement, maintain and adhere and produce to the Massachusetts Attorney General’s Office a written information security program under 201 CMR § 17.00, (iv) review the scope of its security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information under 201 CMR § 17.03(i), (v) implement security password management for portions of its computer system that store, process or transmit personal information (including its Micros Point of Sale computer systems), (vi) implement security password management where each person with access to its computer networks is assigned a unique ID and (vii) segment appropriately from the rest of its computer system the network‐based portions that store, process or transmit personal information, by firewalls, access controls or other appropriate measures. The Briar Group also was required to pay $110,000 in civil penalties to Massachusetts.

Finally, the Briar Group must contact a Qualified Incident Response Assessor to investigate a suspected data compromise if it receives notice from a credit card company, payment card processing company, bank or law enforcement agency requiring a forensic audit of its Point of Sale Systems and related infrastructure because a Common Point of Purchase or similar analysis linked fraudulent transactions to Briar Group establishments. If the Briar Group is unable to conclude whether a data compromise has occurred within 14 days of retaining a Qualified Incident Response Assessor, the Briar Group will (i) post conspicuous notice in each of its potentially affected establishments alerting customers that that their debit cards and credit cards might be at risk due to a suspected data compromise and (ii) provide a copy of this consumer notice to the Massachusetts Attorney General’s Office.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP who also is a Certified Information Privacy Professional and serves on the International Association of Privacy Professionals Publication Advisory Board.

1 Commonwealth of Massachusetts v. Briar Group, LLC, Civ. No. 11‐1185B, Consent Judgment (Mass. Sup. Ct. Mar. 28, 2011).
2 201 CMR § 17.00 et seq. (For additional information about the Massachusetts privacy regulation, please see Melissa J. Krasnow, Final Massachusetts Privacy Regulation: What is Required and How to Comply, Bloomberg Law Reports ‐ Risk & Compliance, Vol. 2, No. 12 (Dec. 2009).
3 Minn. Stat. § 325E.64; Nev. Rev. Stat. § 603A.215; Rev. Code Wash. § 19.255.020. (For additional information about the Nevada and Washington laws, please see Melissa J. Krasnow, Revised Nevada Privacy Law Furthers Encryption and Payment Card Law Trends, Bloomberg Law Reports ‐ Technology Law, Vol. 1, No. 3 (Aug. 24, 2009), and Washington Continues the Trend of Encryption and Payment Card Laws, Bloomberg Law Reports ‐ Privacy Law, Vol. 3, No. 5 (June 2010).
4 Mass. Gen. Laws ch. 93A § 2.

Can a Labor Union Be Sued Under the Computer Fraud and Abuse Act for Spamming an Employer’s Voice and Email Systems?

The answer is yes. The Sixth Circuit Court of Appeals last week reversed a district court and reinstated a Computer Fraud and Abuse Act (“CFAA”) claim brought by an employer against a labor union for “bombarding” the computer systems of its sales and executive offices with emails and voicemails making it impossible for the company to communicate with its customers and vendors. Pulte Homes, Inc v. Laborers’ International Union of North America, 2011 WL 3274014 (6th Cir. Aug 2, 2011). This case is a good example of how the federal Circuit Courts of Appeal are taking control of the interpretation of the scope of the CFAA away from the district courts and applying it expansively to protect computer technology.

“To generate a high volume of calls, . . . [the Union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to “fight back” by using . . . [the Union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. at *1.
 
As the court pointed out, “it was the volume of the communications, and not their content, that injured Pulte. The calls clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.” Id.
 
“Four days” into the onslaught, “Pulte’s general counsel contacted” the union and requested that they “stop the attack because it prevented Pulte’s employees from doing their jobs.” Id. When the Union ignored his request, the company filed suit for, among other things, a violation of the CFAA for “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A). The CFAA defines damage as “”any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8).

The court, relying on the plain meaning of the terms “impairment,” “integrity,” and “availability,” concluded “that a transmission that weakens a sound computer system–or, similarly, one that diminishes a plaintiff’s ability to use data or a system–causes damage.” Id. at *4. Here, the court found that the complaint alleged “just that” – “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails.” Id.

The court also found that the complaint alleged that the Union acted with the requisite intent under the statute to intentionally cause damage. The court summed up the allegations in the complaint that showed that the Union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system”:

(1) The union “instructed its members to send thousands of e-mails to three specific Pulte executives; (2) many of these e-mails came from . . . [the union’s] server; (3) . . . [the Union] encouraged its members to “fight back” after Pulte terminated several employees; (4) . . . [the union] used an auto-dialing service to generate a high volume of calls; and (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible . . . [the union] understood the likely effects of its actions–that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. . . . [The Union’s] rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives.
Id. at *6.

This case is reflective of the pattern that has emerged over the past few years in the judicial interpretation of the CFAA. The district courts have interpreted the CFAA narrowly, sometimes limiting it only to outside computer hacking, while the appeals courts have continued to interpret the statute broadly as a true federal omnibus computer crime statute outlawing all criminal activity directed at computers and computer systems.