Massachusetts recently joined a growing number of states pursuing data privacy enforcement actions, announcing a $795,000 settlement with Peabody Properties, Inc., a Massachusetts-based firm. The property company oversees more than 200 residential properties, including housing for veterans and seniors.
The Attorney General’s Office accused Peabody Properties of multiple data security failures that compromised the personal information of nearly 14,000 residents. The company allegedly mishandled sensitive data—such as Social Security numbers and bank account details—across five separate cybersecurity incidents that took place between November 2019 and September 2021, and it failed to timely notify those impacted in two of the incidents. According to the Attorney General’s Office, the breaches were the result of phishing attacks that resulted in unauthorized access to Peabody’s systems.
Under the terms of the proposed settlement, Peabody Properties will be required to pay the financial penalty and comply with stricter data protection standards. These standards include adopting a vulnerability management program, deploying anti-phishing software, enabling multifactor authentication, and conducting annual security audits for the next three years.
The settlement underscores corporate responsibility in the digital age as more and more states are taking steps to strengthen data protection for individuals and imposing costs on businesses. Businesses need to ensure they are taking reasonable steps to protect the data with which they are entrusted. Reasonable steps for protection evolve over time. They cannot be set and then forgotten.
[View source.]
