Peabody Settlement Reaffirms Massachusetts AG’s Commitment to Protecting Consumer Personal Information

Key point: Regulators will ensure corporate accountability by imposing stringent sanctions on businesses that are perceived as neglecting the protection of consumer personal information.

Recently, Massachusetts Attorney General (AG) Andrea Campbell, through the Office of the Attorney General (OAG), announced a $795,000 settlement with Peabody Properties, Inc. (Peabody) following the recent filing of a complaint. The complaint alleged that Peabody (i) failed to adequately protect the personal information of thousands of Massachusetts residents and (ii) unlawfully delayed required data breach notifications to the OAG and affected consumers.

Background

Peabody, a Braintree-based company, manages approximately 227 residential properties with an estimated 15,700 units across the commonwealth of Massachusetts. The company serves a variety of populations, including veterans and senior citizens.

According to the complaint, Peabody reportedly experienced five separate cybersecurity breaches between November 14, 2019, and September 20, 2021. Unauthorized actors allegedly gained access to Peabody’s network on three occasions through phishing attacks, once using a malicious email, and once due to a ransomware attack. The complaint alleges that these breaches exposed sensitive personal information, including Social Security numbers, driver’s license numbers, and bank account information, of thousands of Massachusetts residents. Peabody sent nearly 14,000 notices to consumers as a result.

Like most states and U.S. territories, Massachusetts has statutes and regulations dedicated to protecting the information security and data privacy of its residents. These statutes and regulations outline certain information security requirements and articulate specific legal obligations that arise in the event of a “breach of security” — i.e., the unauthorized acquisition or use of data capable of compromising the security, confidentiality, or integrity of personal information and creates a substantial risk of identity theft or fraud.

To that end, the complaint outlines two causes of action, alleging Peabody failed on multiple occasions to remedy pre-incident and post-incident shortcomings related to both information security and data privacy. The OAG brought a third cause of action for unfair or deceptive trade practices as a result of the two underlying causes of action. (G.L. c. 93A § 3).

Pre-Incident: Inadequate Information Security Program.

The OAG’s first count, under Massachusetts Data Security Regulations (201 §§ CMR 17.00–17.05), alleges that Peabody failed to “develop, implement, and maintain a [Written Information Security Program (WISP)] or security systems covering its computers to meet the minimum requirements of Sections 17.03 and 17.04. The complaint indicates Peabody failed to conduct adequate risk assessments (including annual reviews of security measures), to set ongoing employee training and ensure compliance with security protocols, to use multifactor authentication and strong passwords, and to implement effective protection software and monitor security software notifications or logs.

Post-Incident: Failure to Timely Notify the Massachusetts OAG and Consumers.

The OAG’s second count, under the Massachusetts Consumer Protection Act (G.L. c. 93H § 2), alleges that Peabody failed to timely provide notice to affected consumers and the OAG related to two breaches. Per the complaint, the November 2019 data breach was discovered in January 2020, but notification was not provided until seven months later in August 2020. The October 2020 breach was discovered in November 2020, but notification was not provided until seven months later in June 2021.

The Settlement

The settlement — a consent judgment — requires Peabody to take a variety of measures to address these alleged failures (on its own dime). Moreover, Peabody is subject to regulatory oversight for the next three years, as the business must comply with “all reasonable inquiries and requests” from the OAG regarding implementation of the requirements outlined in the consent judgment.

Specifically, Peabody is required to update its WISP to include the elements outlined in Sections 17.03 and 17.04 of Massachusetts Data Security Regulations, including implementing policies related to phishing, vulnerability management, multifactor authentication, asset inventory, data isolation, intrusion detection and prevention, endpoint security, and data loss prevention. Peabody is also required to provide mandatory employee training within 30 days of beginning employment and annually throughout employment.

Separately, Peabody is required to retain an independent third-party firm to review and assess its compliance on three occasions over the next two years and report the results of the assessments and corrective actions taken to the OAG.

Peabody is also directed to share copies of the consent judgment with business associates, including businesses that acquire, operate, or oversee Peabody, and incoming officers or members of Peabody or any present or future subsidiaries of Peabody.

Future Trends

We anticipate the Massachusetts OAG will continue to file lawsuits against companies that allegedly fail to comply with the information security and data privacy obligations articulated by Massachusetts’ statutes and regulations. Since taking office in 2023, AG Campbell has taken a consumer-forward approach to privacy and security, and according to the OAG, this lawsuit reflects AG Campbell’s “broader efforts to ensure corporate accountability in protecting Massachusetts residents’ personal information.”

It remains uncertain whether any single factor would have independently brought the company to the attention of the OAG. However, the presence of the following factors collectively may have contributed to the OAG taking note of this particular incident:

• Multiple breaches occurring in a short time frame;
• Multiple breaches resulting from a similar mechanism;
• The number of affected consumers and their demographics (such as vulnerable populations); and
• Perceived delays in notification to affected consumers and/or regulators

More broadly, this lawsuit and settlement demonstrate that consumer protection remains a top priority, and regulators are prepared to prove it in court. Regulators are becoming increasingly vigilant and willing to wield (more aggressively than before) their ability to impose sanctions on businesses as a mechanism to ensure compliance with legal obligations. It would not be surprising to see active regulatory bodies in other states (e.g., California, Illinois, Indiana, North Carolina, Texas, and Washington) pursue similar legal action.