In re Shelburne Country Store Website, No. 425-7-14-WNCV (Vt. Sup. Ct.).
In January 2014, the Shelburne Country Store learned that its website code had been modified and credit card information of 721 customers had been compromised. While the store immediately repaired the breach, it did not notify the affected customers or the Attorney General. After the Vermont Attorney General independently learned of the breach and contacted the store in March 2014, the business notified the customers, offered a year of credit monitoring, and moved to a hosted platform with the capability to monitor intrusions. However, Vermont law requires businesses to notify the Attorney General within 14 days of learning of a breach and to notify affected customers within 45 days. On July 9, the Attorney General reached a settlement with the store. In addition to paying a $3,000 fine, the store must “implement and maintain a comprehensive Information Security Program” and conduct a full audit of its policies and procedures to ensure that it is complying with Vermont law. The security program must comply with either the Payment Card Industry Data Security Standards or the data security standards in the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. The settlement also provides the Attorney General permission to access the store’s records and institutes stiffer penalties for future violations. In September 2013, the Vermont AG reached a more stringent settlement with a health food store that failed to notify customers or correct its system vulnerability after a 2012 data breach.