Co-authored by: Charles K. Shih

Natural Provisions, Inc., a Vermont health foods grocery chain, agreed to pay $30,000 to settle claims brought by the Vermont attorney general that it failed to notify consumers and the attorney general within the statutory period required by Vermont’s Security Breach Notice Act and Consumer Protection Act. Natural Provisions, Inc. agreed to pay $15,000 in civil penalties, an additional $15,000 in upgrades for its information technology systems, and to take the steps necessary to prevent future data breaches.

The settlement resulted from a security data breach due to credit card fraud at one of its stores. The store learned of the fraud after local police responded to reports from customers that credit card numbers were being stolen and used, tracing it to the Natural Provisions grocery. The store processed about 5,500 transactions a month. Prior to notification, tens of thousands of dollars of credit card fraud took place and some customers had their credit card information stolen a second time after, being unaware that the store was the site of the fraud, they used their replacement cards to make new purchases at the store. Natural Provisions, a company specializing in the sale of organic and natural foods, said it was unaware of the regulations required by the Vermont Security Breach Notice Act because it did not have an IT person on staff and had relied on a consulting group to ensure their security. According to the settlement, Natural Provisions violated the Vermont Security Breach Notice Act, Vt. Stat. Ann. Tit. 9, §2435 which requires a business to notify consumers within 45 days of discovery of the breach and notify the attorney general within 14 days. We generally encourage our clients to work with regulators when a data breach occurs. We contacted the Vermont Attorney General’s Office Public Protection Division and Assistant Attorney General Ryan Kriger said, “Businesses that suffer data breaches benefit from promptly notifying our office and taking steps to repair the breach. We will help any business comply with the law. We may be able to offer small, local businesses technical assistance to strengthen their security. An enforcement action is generally a last resort.”

The terms of the settlement required Natural Provisions to pay a civil penalty as well as implement new security measures consisting of: (1) installation of software that assist in bringing it in compliance with the Payment Card Industry Data Security Standard, (2) installation of firewalls to keep customers’ personally identifiable information separate from its computer network, and (3) installation of a virtual private network for the transmission and protection of personally identifiable information. The settlement also prohibits Natural Provisions from storing on its network, the full contents of credit and debit card magnetic strips.

Natural Provisions is obligated to notify the attorney general’s office within 150 days of the settlement that it complied with all the requirements of the settlement. The company must also be in compliance with Vermont laws regarding data security and must train employees to be in compliance within 120 days of the settlement. Additionally, the attorney general’s office will continue to audit the company’s security measures every six months for the next three years, or the next five years if any major shortcomings of the security measures are found. Any violation by Natural Provisions of the settlement results in a $10,000 penalty.

The Vermont Attorney General’s actions regarding Natural Provisions illustrates one example where not only is the Federal Trade Commission aggressively pursuing companies for breaches of security, but where state regulators are stepping into the fray as well. According to Vermont Attorney General Sorrell, “In this age of increasing digital and electronic commerce, businesses must be ever more vigilant to guard against identity theft and the immense financial losses and headaches that can follow the theft of important personal information.”