Yesterday, the Vermont Attorney General announced a settlement with business-to-business software developer Entrinsik, Inc., resolving allegations that the company’s Informer program violated Vermont law, including the law placing restrictions on the use and disposal of data containing Social Security numbers.
The Informer program is used by businesses, including seven colleges in Vermont, to analyze and create reports of data by extracting that data from databases and presenting it in a web browser. The program also, however, creates a plain-text, unsecured file of this extraction and stores it on program users’ local hard drives, allegedly without their knowledge. According to the Attorney General, in 2013, a Vermont college used Informer to generate a report with 14,000 Social Security numbers. The text file extraction was stored on the computer’s local hard drive and backed up to an external hard drive, which was then misplaced, triggering Vermont’s data breach notification statute, and likely the investigation into Extrinsik and the Informer program.
Under the terms of the settlement agreement, Entrinsik has agreed to take the following actions:
- Add clear and conspicuous warnings in all user and instructional materials of the functionality that creates plain-text files.
- Add the following conspicuous warning message to the export dialog: “Note: Exporting data may result in the creation of unsecure/unencrypted temporary or permanent files on your computer. Please contact your system administrator with any questions regarding the proper safeguarding of sensitive information.”
- Issue, and strongly recommend the application of, a patch or other software update to all business consumers in Vermont that includes the new warning.
Importantly, the Attorney General noted that he was not imposing a monetary penalty because he believes the practice of creating “temporary” plain-text files is widespread, “and many companies may not even realize that [it] could violate State law.” This settlement serves as a reminder that companies should evaluate the functionalities of the programs they develop and use to confirm their compliance with applicable data security laws and regulations.