On August 19, Massachusetts Attorney General Andrea Joy Campbell announced a $795,000 settlement with a property management company for alleged violations of the Massachusetts Consumer Protection Act, and the Massachusetts Data Security Law and Data Security Regulations. The AG alleged that the company failed to maintain reasonable data security practices and delayed required notifications to both regulators and consumers following multiple cybersecurity breaches.
According to the press release, the company manages hundreds of residential properties across Massachusetts and experienced five separate breaches between November 2019 and September 2021. Hackers accessed sensitive consumer personal information, including Social Security numbers, driver’s license numbers, and bank account data, through phishing emails. Nearly 14,000 notice letters were ultimately sent to affected consumers, but two of the five breaches allegedly went unreported for almost seven months.
The consent judgement imposes the following requirements:
- Monetary relief. The company must pay $795,000 to the Commonwealth.
- Cybersecurity enhancements. The company is required to implement phishing protection, multi-factor authentication, a vulnerability management program, an asset inventory, and an intrusion detection and prevention system.
- Security monitoring and assessments. The company must deploy a security incident and event management platform and conduct annual independent security assessments for three years.
Putting It Into Practice: Massachusetts remains highly active in consumer protection enforcement and legislative initiatives (previously discussed here and here). Property managers, financial institutions, and other businesses handling personal information should review existing safeguards against phishing and similar attacks, confirm that breach notification procedures meet state requirements, and ensure that monitoring and vulnerability management programs are current.
