Data breaches and breach notifications: stuff only big businesses have to be worried about, right? Apparently not, according to Vermont’s Attorney General:
“At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach.”
And to prove it, the AG has fined a Vermont business $3,000 in civil penalties.
Quick Fix but No Notification
The business that got the dubious honor of receiving the first fine for not sending notification letters (at least, that I know of) is Shelburne Country Store in Shelburne, Vermont. According to their website, the business was established in 1859 and offers the type of stuff you’d expect from an idyllic Vermont gift shop.
Indeed, if the pictures on their site are anything to go by, it seems almost too idyllic, too stuck in the past. So much so, in fact, that I’d almost believe that they didn’t know of the need to contact people affected by the breach, despite breaches at Target and dozens of others that made national news.
(Also, I wouldn’t be surprised that they were hacked and had customers’ credit cards stolen. It feels a bit like I’m looking at the last days of Geocities).
Regardless, they do have a website from which you can order merchandise. It was hacked in late 2013 and credit card details were stolen. Shelburne Country Store quickly fixed the problem, according to databreaches.net (and it appears that they may have revamped their website while they were doing so); however, they never contacted customers who were affected by the credit card data theft.
Vermont Breach Notification Law
Vermont is one of the 47 states that passed a security breach notification law. Among the requirements, a breached entity must contact the state AG within 14 days of finding out about the data breach. Furthermore, affected clients must be reached out to no later than 45 days after finding out about the breach.
I’ve often wondered what would happen if a business decided not to do contact people. I mean, how would the state AG or anyone else really know, unless they got the aid from a whistleblower? Especially if said business was tiny? And what exactly would happen if they were caught?
I guess now we know.