Natural Provisions, Inc., a Vermont health foods grocery chain,
agreed to pay $30,000 to settle claims brought by the Vermont
attorney general that it failed to notify consumers and the
attorney general within the statutory period required by
Vermont's Security Breach Notice Act and Consumer Protection
Act. Natural Provisions, Inc. agreed to pay $15,000 in civil
penalties, an additional $15,000 in upgrades for its information
technology systems, and to take the steps necessary to prevent
future data breaches.
The settlement resulted from a security data breach due to
credit card fraud at one of its stores. The store learned of the
fraud after local police responded to reports from customers that
credit card numbers were being stolen and used, tracing it to the
Natural Provisions grocery. The store processed about 5,500
transactions a month. Prior to notification, tens of thousands of
dollars of credit card fraud took place and some customers had
their credit card information stolen a second time after, being
unaware that the store was the site of the fraud, they used their
replacement cards to make new purchases at the store. Natural
Provisions, a company specializing in the sale of organic and
natural foods, said it was unaware of the regulations required by
the Vermont Security Breach Notice Act because it did not have an
IT person on staff and had relied on a consulting group to ensure
their security. According to the settlement, Natural Provisions
violated the Vermont Security Breach Notice Act, Vt. Stat. Ann.
Tit. 9, §2435 which requires a business to notify consumers
within 45 days of discovery of the breach and notify the attorney
general within 14 days. We generally encourage our clients to work
with regulators when a data breach occurs. We contacted the Vermont
Attorney General's Office Public Protection Division and
Assistant Attorney General Ryan Kriger said, "Businesses that
suffer data breaches benefit from promptly notifying our office and
taking steps to repair the breach. We will help any business comply
with the law. We may be able to offer small, local businesses
technical assistance to strengthen their security. An enforcement
action is generally a last resort."
The terms of the settlement required Natural Provisions to pay a
civil penalty as well as implement new security measures consisting
of: (1) installation of software that assist in bringing it in
compliance with the Payment Card Industry Data Security Standard,
(2) installation of firewalls to keep customers' personally
identifiable information separate from its computer network, and
(3) installation of a virtual private network for the transmission
and protection of personally identifiable information. The
settlement also prohibits Natural Provisions from storing on its
network, the full contents of credit and debit card magnetic
Natural Provisions is obligated to notify the attorney
general's office within 150 days of the settlement that it
complied with all the requirements of the settlement. The company
must also be in compliance with Vermont laws regarding data
security and must train employees to be in compliance within 120
days of the settlement. Additionally, the attorney general's
office will continue to audit the company's security measures
every six months for the next three years, or the next five years
if any major shortcomings of the security measures are found. Any
violation by Natural Provisions of the settlement results in a
The Vermont Attorney General's actions regarding Natural
Provisions illustrates one example where not only is the Federal
Trade Commission aggressively pursuing companies for breaches of
security, but where state regulators are stepping into the fray as
well. According to Vermont Attorney General Sorrell, "In this
age of increasing digital and electronic commerce, businesses must
be ever more vigilant to guard against identity theft and the
immense financial losses and headaches that can follow the theft of
important personal information."
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Nearly five years after announcing it would
"expeditiously" implement provisions of the Dodd-Frank
Act concerning data collection on small business lending, the
Consumer Financial Protection Bureau (CFPB) finally seems to be
Tomorrow the CFPB will issue an interim final rule that will increase the maximum amount of civil penalties that the CFPB and certain other enforcers can obtain for various consumer protection violations.
The authors examine the Consumer Financial Protection Bureau's foray into data security
enforcement by assessing how the bureau's data security authority compares with that
of other federal regulators.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).