Job Service Settles With Massachusetts Over Data Breach, Written Security Plan Violation

A Rhode Island-based job placement service company will pay $230,000 in penalties under a data security settlement reached with Massachusetts Attorney General Maura Healey’s office.

The settlement cites the company’s failure to have and implement a proper written security program to protect personal information following a data breach in 2020 that affected more than 3,000 Massachusetts residents.

TradeSource is a job placement service that connects tradespeople with contractors in the construction industry and maintains a branch office in Natick, Massachusetts. According to the assurance of discontinuance, filed in Suffolk Superior Court, the company was hacked in December 2020 after an employee fell victim to a phishing email. This resulted in a compromise of credentials that allowed hackers to enter the system and steal the personal data of users, including names and social security numbers. In response to the data breach, Trade Source provided affected residents with two years of free credit monitoring and identity theft protection.

The attorney general’s office alleges that TradeSource violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. A WISP documents an organization’s protocols or guidelines to protect the security and confidentiality of personal information. Under Massachusetts laws, companies must maintain a WISP in order to protect such data.

Under the terms of the settlement, TradeSource will pay $230,000 in penalties. Additionally, the company must come into compliance with state laws, as well as continue to implement and maintain a WISP. TradeSource will also be required to designate a chief information security officer and train its employees on the importance of personal information security.

Topics Cyber Talent Massachusetts