Every retailer has a responsibility to their customers to ensure payment information is safe at all times. That is not an unreasonable request from consumers, but in the event that expectation is not met, retailers should at least be forthright about it and take immediate actions to rectify the problem.
That didn’t happen in Vermont and the ramifications of this could be felt all over the retail world. The problem stems from a point of sale security breach that grocery chain National Provisions suffered and failed to report. According to court documents, poor security protocols opened the door for the company to experience a breach that resulted in the theft of tens of thousands of dollars from the compromised cards of customers.
Thinking it was at fault, an area bank asked the state’s attorney general to investigate the problem and the grocery chain was found at fault. Under Vermont law, companies have 14 days to report a breach and 45 days to notify customers and start making changes to rectify the problem.
Unfortunately, the company didn’t do so, was sued and settled for $30,000 – $15,000 for failure to report and $15,000 for upgrading point of sale systems.
What will the aftermath be for the retail industry?
An article from Bank Info Security examined the case and wondered what the ripple effects could be for the retail industry. The settlement is based off of a state law and not many others have such regulations in place.
According to Dan Mitchell, a security attorney in Maine, the actions taken against Natural Provisions were likely done to set an example to the rest of the retail industry. The company is relatively small on a national scale but the headlines have gained massive publicity. On top of that, many state officials should not see these actions as being over the top or too stringent.
“The interesting thing about this one is that the Vermont breach notification statute has a set deadline by which data breach notification has to be provided,” Mitchell says. “There are only a handful of states that have a specific amount of time for notification. And Vermont only recently amended their breach notification statute in May 2012. Prior to that, they had similar requirements like other states that did not specify the 45-day rule.”
He went on to say that the lessons merchants and other businesses that process customer information need to learn from this is that customer data security is critically important. Regardless of the size of a business, if customer information is processed, it must be secure at all times. Data breaches are not limited to multinational companies and every business owner needs to be aware of this.
“What is unique in this case is that it involves a relatively low-profile company,” David Navetta, who is the co-founder of the Information Law Group and co-chairman of the American Bar Association’s Information Security Committee, told the news source. “Many regulators are generally less aggressive with smaller organizations because they realize that some of these smaller companies face technical and resource challenges when it comes to security.”
With the help of a payment solution provider that specializes in retail point of sale software and security, companies of all sizes can take steps toward ensuring consumer information is safe at all times. Visual Retail Plus is one such company that can help merchants ensure PCI compliance and sufficient security levels, while providing back-end support to keep all POS equipment running effectively.