Massachusetts Attorney General says you must practice what you preach

In the first public settlement of its kind related to violations of the new Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00, Belmont Savings Bank has entered into a settlement with the Massachusetts Attorney General following a data breach in which an unencrypted backup tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents was lost after a Belmont employee failed to follow the bank’s own Written Information Security Program (“WISP”).

In May 2011, a Belmont employee left an unencrypted backup tape on a desk rather than storing it in a vault for the night, which was then inadvertently thrown away by the evening cleaning crew. Although Belmont had a WISP, which met the new Massachusetts data security standards, Belmont failed to comply with the WISP in practice. Specifically, Belmont failed to encrypt portable devices, such as the backup tape, which contained personal information.
The Attorney General’s settlement with Belmont provides for a civil penalty of $7,500 as well as injunctive relief to mitigate the risk of future data breaches at Belmont. Under the terms of the settlement, Belmont must comply with the provisions of its own WISP, including:

1. Ensuring the proper transfer and inventory of backup computer tapes containing personal information;
2. Storing backup computer tapes containing personal information in a secure location; and
3. Effectively training the members of its workforce on the policies and procedures with respect to maintaining the security of personal information.

Attorney General Martha Coakley noted that, “Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well.” Bottom line, it is no longer enough for businesses to just have a WISP relative to treatment and protection of its personal information. Organizations must actually put the safeguards in place that they set forth in their WISPs.

Hacking Group Anonymous Breaches InfraGard

On August 18th hacking group Anonymous published documents stolen from Richard Garcia, senior vice president of Vanguard Defense Industries. The collection of documents contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen 'counter-terrorism' documents classified as 'law enforcement sensitive' and 'for official use only.'


Mr. Garcia is also a director of U.S. defense contractor InfraGard, who was breached by one of Anonymous' affiliate hacking groups LulzSec. In the initial post by Anonymous, they state that Mr. Garcia's account was easily hacked because he had not changed some of his passwords after the InfraGard breach in June.


One of the most sensitive emails that was published contains a response from one of Vanguard's chief executives responding to a U.S. Department of Justice contact regarding the suitability of its ShadowHawk drones for use by U.S Marshals. There are also reports that there are documents that show evidence of a Merrill Lynch wealth management adviser giving private advance notice to Garcia about upcoming S&P US credit rating downgrades. This report has yet to be substantiated.