Friday, October 7, 2011

Attorneys General continue to increase legal standards for data privacy compliance

Many have written about it and several have contemplated it -- whether states will adopt private data security standards, such as the Payment Card Industry Data Security Standards (PCI DSS), and use them as legal standards that owners and holders of personal information (PI) must comply with.



That’s exactly what the Massachusetts Attorney General did when it recently filed suit against Briar Group, LLC and alleged, among several other things, that Briar was not PCI compliant at the time of its data breach in November 2009, affecting 53,000 MasterCard and 72,000 Visa accounts.

PCI DSS are private data security standards created by the Payment Card Industry Security Standards Council that apply to all organizations collecting credit cards. The Complaint alleged that Briar’s failure to implement basic data security measures on its computer system allowed hackers to gain access to Briar’s customers’ credit and debit card information.

Please see full article for more information.

Briar ultimately settled with Massachusetts through a consent judgment with the following penalties, in part:
Briar Group to pay State of Massachusetts $110,000;
Establish a Written Information Security Program;
Maintain PCI compliance and verify same within fourteen days;
Revise password management process; and
Implement various network system changes.


So here is a point that Briar Group or any company that is responsible for private information about their employees, suppliers or customers should consider.  Having a Written Information Security Plan (WISP) in place "Before" a breach happens is a worthwhile investment. 

So much so, that if they were compliant with a working WISP plan, they might not have been breached in the first place.  Fire drills save lives, because people are prepared and can stay calm in an emergency. 

A WISP plan prepares an organization.  The "plan" ensures that a company follows industry best practices.  Nothing is perfect, but the heavy fines and bad publicity are minimized by being prepared.  A WISP plan creates a defensible position.

Dolvin Consulting and Cyber Security Auditors & Administrators (CSA2) work with organizations that are worried about the threat of lawsuits related to the loss of private information and concerned about the loss of their customer base from the erosion of confidence that results from data breaches.

Contact us today to see how we can help you sleep better at night.



No comments:

Post a Comment