Vermont AG Settles with Software Company over Security Vulnerability

A recent settlement announced by Vermont’s Attorney General illustrates the obligations it expects of software providers with respect to common security vulnerabilities. According to the Vermont AG, a security breach at Vermont’s Champlain College in 2013 exposed 14,000 social security numbers due to a vulnerability in Entrinsik’s Informer software. The software—and others like it—creates unsecured plain text copies of certain data files exported from a user’s browser. Users are typically unaware that this is occurring, leaving the unsecured data files in a temporary directory on the computer’s hard drive. The AG warned that these data files would be easily viewable if the computer is hacked or lost. 

In its settlement, the AG relied on Section 2453(a) of the Vermont Consumer Protection Act, which declares as unlawful any “unfair methods of competition in commerce and unfair or deceptive acts or practices in commerce,” to argue that the company should have either corrected digital vulnerabilities or warned Vermont customers to take protective steps. Failure to do so, the AG stated, was a violation of the state’s deceptive and unfair practices law. Under the terms of the settlement, Entrinsik agreed to add pop-up boxes that warn users of the vulnerability in its Informer software. The state opted not to pursue statutorily authorized fines in this case—up to $10,000 per violation—noting in its press release that this software practice is widespread and many companies “may not even realize that this practice could violate State law.” But the AG has warned that monetary penalties are likely on the way to the next offender, now that the software industry has been put on notice.  

TIP: This settlement is a warning to companies to consider how they identify and either (a) correct common security vulnerabilities or (b) warn consumers about such vulnerabilities. The Vermont AG has demonstrated that it will use the state’s general unfair and deceptive practices act to pursue failures to take one or the other of these two steps.