Shelburne Country Store in Shelburne, Vermont will pay a $3,000 civil penalty for failing to inform 721 internet buyers of a security breach of their credit card information. In late 2013, the company’s website was hacked and credit card information stolen. Upon being informed of the breach in January 2014, the company quickly fixed the problem, but did not notify consumers until it was contacted by the Attorney General’s Office.
“At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach. ” said Attorney General Sorrell.
Under Vermont’s Security Breach Notice Act, businesses are required to send the Attorney General a confidential notice within 14 business days of discovery of a data breach. The business must also send notice to consumers in the most expedient time possible, but no later than 45 days. The Office of the Attorney General works with businesses and their counsel, particularly with small Vermont businesses, to help them address security breaches. The office has an open-line policy for anyone with questions about Vermont’s data security law or how to address a breach. The office brings enforcement actions under the Security Breach Notice Act only for serious violations.
Any business with questions about the Act can find guidance on the Attorney General’s website, call the office at 802-828-5479, or email [email protected].
SOURCE: Office of the Vermont Attorney General