A lawsuit out of Massachusetts related to a breach of cardholder data by the Briar Group, LLC resulted in an $110,000 settlement by the company. This is some interesting news, as it shows that penalties for not protecting cardholder data can hit you from both the card brands and regional privacy lawsuits. Although the amount of the settlement is not extremely high, the other requirements coming out of the settlement can definitely push those costs up. The settlement requires the Briar Group to not only pay the monetary penalty, but also comply with the Massachusetts data security laws and the PCI DSS. As a merchant, Briar Group’s bank would have already required PCI compliance, but it is unclear what merchant level they were at the time and how they were reporting compliance. It is my guess they were self-assessing, which consists of checking yes or no for each applicable requirement and requires no formal PCI training by the company.
Based on the reports, hackers were able to get into the network and install malware to gain access to cardholder data. Apparently, appropriate monitoring controls were not in place since this went on undetected from April to December of 2009. Regardless of what happened, the point is that merchants and service providers need to understand what the risks are to their environments, how they should be secured, and the various penalties that can be levied on them due to non-compliance and poor security/privacy practices. When a breach of cardholder data occurs, MasterCard will automatically increase your merchant level to Level 1, which will require an onsite assessment. Visa may also escalate your validation level if a breach is suffered. We have found that the majority of organizations that move from performing a self-assessment to an onsite assessment by a QSA are found to be non-compliant with the PCI DSS. The costs associated with meeting all requirements and implementing appropriate security controls can get pretty steep.
Every organization needs to understand all requirements they are bound by when handling personal information, such as cardholder data. Depending on the type of data you hold, contractual and regulatory requirements may include PCI, HIPAA, COPA, FERPA, and other state/federal privacy and security laws that the majority of states are now adopting. Implementing the requirements can help to reduce the chances of a breach, ensure controls are in place to detect a breach, and reduce liability if a breach does occur. For example, regarding PCI, if you are found to be compliant with the standard when a breach occurred, the card brands may reduce or eliminate their fines. However, costs associated with mitigating your environment after a breach, conducting individual breach notifications per state laws, performing an onsite assessment, paying for forensics services, providing credit report monitoring, and settling any penalties from lawsuits can add up to staggering amounts.
SecureState recommends that organizations become intimately familiar with all of the security and privacy requirements they are subject to in order to understand exactly what they must do to provide adequate protection for personal information and what the consequences may be if they do not. Compliance is more than just meeting a minimum set of requirements, but also involves ensuring you have addressed any risks to the security and confidentially of data entrusted to your organization.