Part of An Ongoing Series
No, not likely. In fact, even “mom and pop stores” have incurred hefty civil penalties for failing to notify consumers and/or regulators of a data breach. On July 9, 2014, the Vermont Attorney General announced that the Shelburne County Store—a small shop selling homemade Vermont souvenirs—agreed to pay a $3,000 civil penalty after reportedly failing to notify customers of a data breach relating to credit card information.
According to the Assurance of Discontinuance between the Store and the Office of the Vermont Attorney General, In late 2013, Shelburne County Store’s website was hacked, and the credit card information of 721 website customers was potentially compromised. Although the company quickly resolved the security breach once it discovered it in 2014, the Office of the Attorney General stated that the store “made no efforts to notify affected consumers of the data breach, to notify the Vermont attorney general of the data breach, or to notify any law enforcement agency”. It went on to note that “[the Office] will not accept the excuse that a business did not know of its obligations to report a breach,” even if it sells the world’s best melt-in-your-mouth fudge. As a result, the Office collected the $3,000 civil fine.
Under Vermont’s Security Breach Notice Act, amended in 2012, businesses are required to send the Attorney General a confidential notice within 14 business days of discovery of a data breach. The business must also send notice to consumers within 45 days.
California passed the nation’s first data breach notification law in 2003. It requires any business or state agency to notify any California resident whose unencrypted personal information (as defined) was acquired, or reasonably believed to have been acquired, by an unauthorized person. If a business is required to notify more than 500 affected parties, it must also notify the California Attorney General’s Office.
Privacy, Cyber-security, Cyber-crime and Cyber-insurance are some of the fastest-evolving areas in the law and our new digital economy.