Does Briar Group's Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?

Posted on May 22, 2011 by Colin J. Zick

By Brian Bialas 

A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators. 

 

The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.

 

What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements.  Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell. 

The payment card industry has long been leading the charge in protecting personal data. Governments often react to issues rather than regulate proactively, but private industry must try to anticipate problems before they happen. As such, private standards generally are better at protecting personal information than state statutes and regulations. Businesses always must be two steps ahead of identity thieves in order to protect consumer data and thrive in the marketplace; the price of not doing so is high, as Sony and others have learned and continue to learn. Given this, it’s not a surprise the AG looked to PCI DSS as a new legal standard.
Tags: , , , , , , , , , ,

Massachusetts Court Holds Disclosure of Patient Records Does Not Violate HIPAA or State Consumer Statute

Posted on October 22, 2009 by Colin J. Zick

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”  The court held that disclosure pursuant to a court order requiring production of records constituted such a disclosure.  The court also held that the sought-after records were likely to lead to admissible evidence regarding defendant’s knowledge of the alleged propensity for violence of the resident who had committed the assault and therefore ordered production of the records.  [Thanks to Foley Hoag's Eric Haskell for this entry.]

Tags: , , , ,