Breaches: Holding Retailers AccountableVermont's Settlement with Merchant Could Set Bar for Others
The Vermont Attorney General's $30,000 settlement with a breached retailer is significant because it demonstrates that states can play a role in holding retailers accountable for losses associated with card fraud, one banker says.
As a result of this case, more banking institutions may ask state attorneys general to conduct investigations after card fraud is linked to a retailer, says Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets. That's because attorneys general enforce state laws, which may call for timely breach notification and establish security requirements, including compliance with the Payment Card Industry Data Security Standard.
Meadors says many banking institutions, including her own, usually report fraud incidents to local and federal law enforcement authorities, rather than state attorneys general. "Maybe we should pursue the breach angle with state agencies in the future," she says. "Some additional fines from the state agencies would further encourage smaller merchants to take a closer look at how they are updating their [point-of-sale] software."
Actions in Vermont
Last month, the Williston, Vt.-based grocery chain Natural Provisions agreed to pay a $15,000 fine to settle allegations that it failed to promptly notify customers of a breach dating back to 2012. Natural Provisions also agreed to spend $15,000 on security upgrades to its point-of-sale system.
According to Vermont Attorney General William Sorrell, Natural Provisions' lax security contributed to the breach that resulted in tens of thousands of dollars in fraud losses linked to compromised cards.
"When banks traced the fraud back to Natural Provisions, the store was informed that it was the likely source of the fraud," Sorrell states in a notice about the settlement. "Under Vermont law, a company must notify the attorney general within 14 days of the discovery of a breach, notify its customers within 45 days, and quickly take steps to remedy the breach. Natural Provisions failed to meet these standards. After it first obtained information that a security breach might have occurred at its store, it did not commence taking remedial action to resolve the security vulnerability for more than a month."
The attorney general's notice also notes: "Some consumers had their credit cards compromised, had cards reissued, and had the new cards compromised after use at Natural Provisions."
In the settlement with Natural Provisions, Sorrell claims Natural Provisions failed address, in a timely manner, security weaknesses that allowed its payments network to be compromised and an undetermined amount of card data was stolen.
Natural Provisions did not respond to Information Security Media Group's request for comment.
But Assistant Attorney General Ryan Kriger says the reason for the enforcement action from the state was Natural Provisions' failure to immediately fix the problem once it was brought to the store's attention.
"It took them more than a month to start taking any steps," Kriger tells Information Security Media Group. "They were notified and did't take steps. We in the Attorney General's office didn't find out about it until even later than that."
Kriger says many small business struggle to maintain adequate POS security, and in Vermont the AG's office has worked with numerous businesses to assist them after a breach. In the case of Natural Provisions, however, so much time passed that the state felt enforcement action had to be taken, he says.
"Hopetufully it will make other small businesses realize this is a serious matter," Kriger says. "As a small business, you need to be thinking about security; you need to have a plan in place; and you need to follow the law. ... State AGs are in best position to enforce more security with these local businesses."
Meadors of Republic Bank & Trust says breaches at smaller retailers, such as Natural Provisions, which processes approximately 5,500 payment card transactions per month, are relatively common. But it's not just the retailers that are to blame, she contends.
"Some [POS] software companies are not properly educating their merchants about the risk and the need to keep the software updated and patched," Meadors says.
"We have been told that often the software companies or their resellers are not sending out patches or updates, even when the merchants have paid for them. It will probably take some merchants bringing lawsuits against their software providers to get any action."
Another recent retailer breach, which was traced back to a POS software vulnerability, affected numerous small merchants in Kentucky and Indiana in early 2013. That software vulnerability led to a malware attack that exposed hundreds of debit and credit accounts in and around Louisville, Ky. (see Retailers Attacked by POS Malware).
Setting an Example
Dan Mitchell, a data security attorney for Maine-based Bernstein Shur, says Vermont's actions against Natural Provisions likely were meant to set an example.
"The interesting thing about this one is that the Vermont breach notification statute has a set deadline by which data breach notification has to be provided," Mitchell says. "There are only a handful of states that have a specific amount of time for notification. And Vermont only recently amended their breach notification statute in May 2012. Prior to that, they had similar requirements like other states that did not specify the 45-day rule."
Given the publicity this case has gotten, other states could soon follow Vermont's lead and amend their breach-notification statutes to include timelines as well, Mitchell says. "I don't think other states are going to look at this and say Vermont is being really strict and unrealistic."
The lesson for other merchants, or any entity that processes cardholder data, is that security has to be taken seriously, Mitchell adds. "If they are transacting data, then, regardless of size, they could potentially do a lot of harm if they are breached. They need to be secure."
David Navetta, who is the co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee, notes: "What is unique in this case is that it involves a relatively low-profile company. Many regulators are generally less aggressive with smaller organizations because they realize that some of these smaller companies face technical and resource challenges when it comes to security."