In May, there were follow-ups to two breaches, but I missed them at the time. In the spirit of better late and complete than never, here’s the press release from the Vermont Attorney General’s Office:
Earlier today Attorney General William Sorrell filed a settlement in Washington County Superior Court with Embassy Suites South San Francisco, located in San Francisco, California. The agreement settles allegations that the hotel failed to notify consumers of a security breach in the most expedient time possible and without unreasonable delay. In July 2013, Embassy Suites South San Francisco received notifications from customers of unauthorized charges on their credit cards. Notice of a breach was not sent to Vermont residents until February 7, 2014, approximately six months later.
The Attorney General entered into a similar settlement with Auburn University, located in Auburn, Alabama, in late 2014. That agreement regarded an unrelated breach that took place in November 2013 involving the exposure of Vermont residents’ social security numbers. Auburn University took over two months to determine that a security breach had occurred after first discovering a security vulnerability, and did not notify Vermont residents until about four months after the vulnerability was discovered.
Vermont’s Security Breach Notice Act requires notice to the Vermont Attorney General within 14 days, and notice to consumers “in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery or notification of the breach.”
In the settlements, the two entities agreed to comply with Vermont’s Security Breach Notice Act in the future. Failure to do so will be considered a violation of the AOD. Both entities also agreed to implement policies and procedures to ensure future compliance with the Act.