BOSTON —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
The new standards come after notable security breaches at such state-based businesses as TJX Cos., which said in early 2007 that information from 45.7 million credit and debit cards had been stolen during an 18-month period, and the 13-unit Not Your Average Joe’s casual-dining chain, which in October 2007 discovered that credit card information from as many as 3,500 customers might have been compromised. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
But while restaurateurs recognize the need for increased data security, they are concerned that the standards may prove a hardship, especially given the stalled economy. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“It’s difficult to assess how costly these new requirements will be,” said Maureen Ryan, spokeswoman for the National Restaurant Association. “However, we do know that government-mandated regulations like these often fail to consider the costs associated with implementation. Restaurants are currently operating in the most challenging environment since 1991. Additional costs associated with [these] requirements will not help the grim economic situation.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
The regulations, now set to take effect on May 1, 2009, require businesses to use encryption and firewalls to safeguard the data from hackers and identity thieves. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
They also require that businesses designate at least one employee as being expressly responsible for maintaining the security of electronic data. Employees also must be educated on the importance of protecting personal information and trained how to use computer security systems properly. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Officials of the Office of Consumer Affairs and Business Regulations said they decided to extend the deadline for compliance because of the financial crisis currently affecting the U.S. economy. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
The regulations initially were set to take effect Jan. 1, 2009, but in light of intervening economic circumstances, the OCABR extended the deadline in order to provide flexibility to businesses experiencing financial challenges brought on by national and international economic conditions, they said. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
On May 1 businesses will be required to “encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data, and the outside world and permits only authorized users to access or transmit the data,” the OCABR said. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Failure to comply with the new regulations could result in sanctions from the state’s attorney general, said an official of the Massachusetts Restaurant Association, who characterized the cost of full compliance as exorbitant. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“If you really want to go through this to the letter, [the costs] are astronomical,” said Janine Harrod, director of government affairs for the MRA. She added that the new regulations would affect “even the way you handle employee information…not just customer information.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“Even if your POS systems are up to date, what you do with your own staff information is subject,” she said. “It’s extremely pervasive.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Harrod said it is her understanding that if businesses do not comply with the security measures, “the attorney general can raise an injunction against you and collect damages.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
She also noted that the new standards would affect “any time you take a reservation over the phone and want to take a credit card [number down].” She warned that even popular reservation services aren’t necessarily secure. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
The NRA’s Ryan said several other states, including California, Texas, New York, Oregon and Maryland, have recently enacted similar security measures. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
But Sam Hudson, an attorney with Foley Hoag, a Boston-based corporate law firm, said Massachusetts’ new mandates may well be the toughest in the country. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“This is one of the more comprehensive regulations enacted,” he said. “Where they have gone further is that it is very specific about standards of security for anyone handling personal security. Certainly, this will require restaurant [operators] to have really thought about what [their] information security system really is. They will have to take very specific steps to make sure the security is maintained.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Canton, Mass.-based Dunkin’ Brands Inc., parent of Dunkin’ Donuts and Baskin-Robbins, said it is on track to meet the data security requirements by the deadline. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“Upon learning of the Massachusetts Office of Consumer Affairs new standards for the protection of personal information, Dunkin’ Brands conducted an internal review of our current data security policies and procedures and expect that we will be in compliance when the new standards take effect in May 2009,” the company said in a statement. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Eleanor Arpino, vice president of operations for Boston’s Davio’s Northern Italian Steakhouse and Avila Modern Mediterranean Restaurant & Bar, said her two concepts upgraded their “POS systems this past summer at all of our locations to immediately remove all credit-card information from our system to protect guests.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“From an operations viewpoint, [the regulations] have drawbacks when it comes to customer service,” she said. “For example, if a client calls after an event and asks that we move some of the cost from one account to another for expense purposes, we now have no way to recall the account numbers and have to start over, getting the numbers over the phone, etc. This also means we are punching in the account numbers and not swiping the card, which costs us more money. A punched-in number is considered a higher fraud risk, so the credit card companies charge a higher fee.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Arpino added: “If a guest calls to add a tip because they realize they forgot to, we cannot reopen that check and add it. We have to get all the information again and open a new check just for the tip and then punch in the numbers.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
Harrod said the MRA is working on ways to update members of the new security regulations. —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.
“We have been e-mailing our members about this, but people have really been caught off guard,” she said. “The implications of this and the penalties are scary. This could be a whole other liability we’re creating on restaurants.” —Massachusetts regulators have given restaurants and other businesses in the state an extra four months to comply with new standards for storing and protecting credit card data and other personal information about customers and employees.