October 12, 2016
In a settlement announced today, software company Entrinsik agreed to provide better warnings after a Vermont college experienced a security breach that potentially exposed 14,000 social security numbers due to the ordinary use of its reporting tool. Because the Attorney General believes that the software practice involved is widespread and many companies may not even realize that this practice could violate State law, no monetary penalty was imposed. Entrinsik, however, agreed to highlight the issue for Vermont consumers through the use of warnings and dialogue boxes that adequately alert users and IT staff to the software vulnerability.
“We take the privacy of our citizens seriously and are pleased that Entrinsik worked cooperatively with our Office to fashion a solution to this problem,” said Attorney General Bill Sorrell. “This settlement is a warning to companies whose software introduces similar vulnerabilities.”
The reporting tool, known as Entrinsik Informer, runs through a browser such as Internet Explorer. When a user exports a report using Informer, the application draws on browser functionality which sometimes creates two files – the expected export file, and a separate, plain-text, file, which is stored in a temporary or Downloads directory but is not automatically erased. The user, the business, and the IT staff often are unaware of this second file, so while the business may be taking reasonable steps to protect its data security, this unexpected “temporary” file slips through the business’s defenses.
Vermont law requires businesses to take reasonable steps to protect their customers’ data, and allows them to rely on a reputable vendor for software. When that software introduces security vulnerabilities, even if it’s only through reliance on how another product operates, the creator of the software must either eliminate the vulnerability or, if that is not possible, warn their business customers of the specific issues so that they can protect themselves. “We hope that other software companies will, like Entrinsik, recognize that they must take responsibility for how their software operates, even if it relies on functionality from a different product like a web browser, and take proactive steps to address the issue,” said Sorrell. “While we did not think a penalty was appropriate in this instance, now that the industry has been warned we probably won’t treat the next incident the same way.”
More information about the Attorney General Sorrell’s efforts to protect consumers and address data breaches can be found at http://ago.vermont.gov/focus/consumer-info/privacy-and-data-security1.php.
SOURCE: Vermont Attorney General’s Office