On September 29, 2017, Samanage USA, Inc. (“Samanage”), a North Carolina-based technology company that provided cloud-based IT support services as a subcontractor for Vermont’s health care exchange (“Vermont Health Connect”), agreed to a $264,000 settlement with the Vermont Attorney General in relation to a breach that exposed the Social Security numbers of 660 Vermont Health Connect users.

In June 2016, an employee of a contractor for the State of Vermont attached a spreadsheet with the names and Social Security numbers of Vermont Health Connect users to a job ticket that was part of Samanage’s IT support system. Samanage’s system communicated job tickets through a unique URL that was generated by a hash algorithm. According to the Vermont Attorney General, however, because Samanage did not authenticate an entity that requested information via the URL, anyone could theoretically type the URL into a standard web browser and access the document. As a result, Microsoft Bing’s search index web crawler discovered the URL and posted it to its search results, revealing not only the link to the spreadsheet, but also a preview of the contents of the document, including the personally identifiable information of Vermont Health Connect users. The publicly accessible search result was discovered by a Vermont resident who subsequently notified the Vermont Attorney General.

After receiving notice of the breach, Samanage changed the document’s security settings to require authentication, but nonetheless failed to (1) immediately require authentication of all documents; and (2) notify the contractor of the breach, as required by Vermont’s breach notification law. According to the terms of the settlement, “[a]bsent intervention by the Attorney General, there is no indication that SaManage planned to inform anyone of the breach.”

The Attorney General brought claims under both Vermont’s Consumer Protection Act and Vermont’s Security Breach Notice Act. Under the terms of the settlement, Samanage agreed to implement a comprehensive written information security program that includes (1) designating an employee to coordinate and be accountable for the company’s information security program; (2) conducting a risk assessment; (3) designing and implementing safeguards to control identified risks; (4) testing and monitoring the effectiveness of the safeguards on an ongoing basis; and (5) evaluation and modification of the security program in light of the results of such testing and monitoring.

The settlement further requires Samanage to implement certain prescribed technical safeguards (e.g., network segmentation, security patching and anti-malware tools, intrusion detection systems or other security monitoring tools, access control measures, log retention, etc.), submit to a full audit of its legal compliance program, and conduct training for its officers and employees.