Mass. Data-Breach Settlement a 'Cautionary Tale' for Businesses, Lawyer Says
An August settlement between the Massachusetts attorney general and a property management company over its shortcomings in handling a cybersecurity breach is a cautionary tale for any business collecting and storing consumer data, said a Hudson Cook lawyer in a blog post Aug. 29.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The $795,000 settlement with Peabody Properties came in the wake of five phishing-based cyber intrusions at the property management company that leaked sensitive personal information of almost 14,000 Massachusetts residents, Jay Harris said. The personal information included Social Security numbers, driver's license data and bank account details.
Peabody was slow in informing customers and regulatory agencies, resulting in unlawful conduct, AG Andrea Campbell (D) determined. For example, the first two cyber incidents were not disclosed until almost seven months after Peabody discovered them, Harris said.
"For Massachusetts property operators, this settlement is a reminder of the strict requirements of the state's Security Breach Notification Law and Data Security Regulations," Harris wrote. "These laws require prompt notice to the [AG], the Office of Consumer Affairs and Business Regulation (OCABR), and affected residents whenever a breach of security occurs involving personal information." Even if "the full scope of affected individuals is not yet known," companies can't delay notification, Harris added.
Massachusetts law holds that companies offering housing or financial services, among other businesses, "maintain a Written Information Security Program (WISP) with administrative, technical, and physical safeguards appropriate to the size and nature of the business," he added.
In addition to the monetary penalty, the settlement -- if approved -- would require that Peabody provide a suite of security measures, including multi-factor authentication, phishing-protection tools, vulnerability management and intrusion detection and prevention.
The incident and settlement underscore "not only the financial and reputational costs of poor breach response, but also the regulatory expectation" that property managers "safeguard renter and applicant information," Harris said.
Avoiding Peabody's mistakes, Harris said, requires that boards and executives "treat cybersecurity as a core compliance function, not a back-office IT issue."
Also, the lawyer said "incident response plans should be in place and tested," and organizations should create executive-level reporting structures for data security. Senior leadership should receive periodic briefings on vulnerability assessments, system monitoring, and regulatory obligations, to prevent regulatory gaps and ensure consistent protections across business lines, added Harris.