A follow-up to a breach reported on this blog (but not in the mainstream media) in November 2011:
A property management firm will pay $15,000 in civil penalties following the theft of a laptop containing the personal information of over 600 Massachusetts residents, Attorney General Martha Coakley announced today.
“It is incredibly important that businesses ensure that laptops and other technology have the necessary encryption to protect consumers from identity theft,” AG Coakley said. “We will continue to make sure that companies understand their responsibilities under the data privacy laws and are held accountable when they do not adhere to them.”
According to the Assurance of Discontinuance filed in Suffolk Superior Court today, an employee for Maloney Properties, Inc. (“MPI”) had a laptop containing the unencrypted personal information of up to 621 residents stolen from her car during the night. MPI has indicated that it has no evidence that consumers’ personal information has been acquired or used by an unauthorized person or for an unauthorized purpose.
In addition to paying $15,000 in civil penalties, according to the Assurance of Discontinuance, MPI must:
- ensure that personal information is not unnecessarily stored on portable devices, including laptops;
- ensure that all personal information stored on portable devices is properly encrypted;
- ensure that all portable devices containing personal information are stored in a secure location; and
- effectively train employees on the policies and procedures with respect to maintaining the security of personal information.
This matter was handled by Assistant Attorneys General Sara Cable and Shannon Choy-Seymour of Attorney General Coakley’s Consumer Protection Division.
So why penalties for this firm and not other firms that have had laptop thefts or thefts of data from less than really secure locations? Surely Massachusetts gets a lot of breach reports each year. And I’d bet this isn’t the only time that unencrypted data were stolen from a car. So why this one? It would have been helpful for the AG to explain why this breach merited a fine that other breaches didn’t merit.
Interestingly, not only did this breach not attract media attention at the time of their disclosure, even the penalty has not (yet) attracted mainstream media attention. The AG issued this press release on March 21, and I see no reference to the fine in any media coverage since then. If the AG wanted to make a point, this may not have been the right case or the best way to go about making whatever the point is.