Attorney General William Sorrell has reached a settlement with Natural Provisions, a grocery store in Williston, Vermont in which Natural Provisions agreed to spend $15,000 to significantly upgrade its computer security system to exceed minimum legal protections, and to pay $15,000 to the State, in addition to other injunctive relief. The settlement resolves allegations that Natural Provisions failed to promptly notify its customers of a substantial data security breach and failed to expeditiously correct vulnerabilities in its system to fix its security. Consequently, Vermont consumers had credit cards compromised resulting in tens of thousands of dollars of credit card fraud. “In this age of increasing digital and electronic commerce, businesses must be ever more vigilant to guard against identity theft and the immense financial losses and headaches that can follow the theft of important personal information,” said Attorney General Sorrell.
The security breach at Natural Provisions involved theft of credit card numbers used at the store in 2012. When banks traced the fraud back to Natural Provisions, the store was informed that it was the likely source of the fraud. Under Vermont law, a company must notify the Attorney General within 14 days of the discovery of a breach, notify its customers within 45 days, and quickly take steps to remedy the breach. Natural Provisions failed to meet these standards. After it first obtained information that a security breach might have occurred at its store, it did not commence taking remedial action to resolve the security vulnerability for more than a month. It did not notify the Office of the Attorney General, comply with the Data Breach Notification Act, or complete remedial action necessary to resolve the security vulnerability for more than forty-five days. Prior to the security vulnerability being resolved, tens of thousands of dollars of credit card fraud took place. Some consumers had their credit cards compromised, had cards reissued, and had the new cards compromised after use at Natural Provisions.
By some estimates, over half of all data breaches take place at small businesses, which tend to be easy targets due to inadequate security. When companies suffer a breach and quickly inform the Attorney General as required by law, the office typically attempts to work with the company to foster compliance with Vermont’s laws and to fix the security problem, hopefully avoiding the necessity of taking any enforcement action. Assistance has included offers of free forensic analysis and security advice.
Further information about data security can be found at:
http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security.php#CCC.
SOURCE: Attorney General Sorrell