A Massachusetts restaurant chain Briar Group has become the first company fined under the state’s new tough data breach law and will have to pay $110,000 in penalties, according to a statement by the Massachusetts Attorney General. The Briar Group LLC entered into a settlement with Massachsuetts Attorney General Martha Coakley over allegations that the chain failed to protect patrons’ personal information. The case stemmed from an April, 2009 incident in which a malicious program installed on Briar’s computer systems allowed unknown hackers to access customers’ credit and debit card information. That malicious code wasn’t detected and removed until December, 2009, according to a statement from the Attorney General.

According to the settlement Briar Group which owns and operates a number of bars and restaurants in the Boston area failed to take reasonable steps to secure its infrastructure. The company failed to change employee login information for point of sale terminals and continued to accept credit and debit cards from customers even after it learned of the breach.

Briar Group will pay the Commonwealth $110,000 in civil penalties and prove compliance with the state’s data security regulations as well as the Payment Card Industry Data Security Standards (PCI DSS) and restaurants in the Briar Group will have to have a security password management system and PCI-compliant data security measures.

The case is the first on its kind in which a violation of the Commonwealth’s data privacy law, 201 CMR 17, was prosecuted. That law, which took effect on March 1, 2010, is one of the toughest in the nation . The soul purpose of the law is to address the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.

201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.