The Vermont Attorney General recently reached two settlements that indicate that the Green Mountain State is flexing some muscle when it comes to data breach notifications.  Vermont settled with Embassy Suites Management LLC over allegations that it failed to provide state residents and law enforcement timely notification of a data security breach at one of its hotels that affected customers’ credit card information.  The state reached a similar agreement last year with Auburn University after it took two months to determine that a security vulnerability had exposed students’ Social Security numbers, including those of Vermont residents, and then only notified the state and affected students six weeks later.  The settlements require the two entities to ensure compliance with Vermont’s Security Breach Notice Act or face monetary penalties.