Grocery Store Agrees to Pay $30K to Settle Breach Claims by Vermont Attorney General

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Adrianne Appel  

Sept. 12 --A small grocery store chain in Vermont agreed to pay $30,000 to settle claims that it failed to protect consumer data when customer credit card numbers were repeatedly stolen from its computers, the Vermont Office of the Attorney General said in a Sept. 11 statement (In re Natural Provisions, Inc., Vt. Super. Ct., No. 522-9-13-wncv, assurance of discontinuance filed 9/5/13).

Natural Provisions, Inc., of Williston, Vt., agreed to pay a civil penalty of $14,938, spend $15,062 to upgrade its information technology systems and take other steps to prevent future data breaches, according to the assurance of discontinuance filed Sept. 5 in the Vermont Superior Court.

The company, which specializes in organic and natural foods, said it was unaware of the requirements of the Security Breach Notice Act, according to the settlement.

“We don't have an IT person on staff, we relied on our consulting group to make sure we were secure,’’ Terry Powers, owner of Natural Provisions, told BNA Sept. 12. The store immediately corrected the problem and informed customers, he said.

“We've had some real factual disputes over the case but the only way to resolve it was to go to trial. With a very uncertain outcome and it being costly we decided to enter into this agreement,’’ Powers said.

Delayed Notice of Breach

Natural Provisions violated the Vermont Security Breach Notice Act, Vt. Stat. Ann. tit. 9, § 2435, according to the settlement. Under the act, a business must work quickly to remedy a security breach, inform the attorney general within 14 days of the breach and tell customers within 45 days, the attorney general's office said.

After learning from a local police department about reports that customer credit card numbers were stolen and abused, Natural Provisions didn't inform the attorney general for 45 days and didn't begin to fix the problem until a month later, the settlement said.

The store processed about 5,500 transactions a month, and before the breach was fixed, tens of thousands of dollars in credit card fraud took place, according to the settlement. Not knowing that Natural Provisions was the source of the fraud, some customers had their credit card information stolen a second time when they made new purchases at the store with their replacement cards, it said.

Further Violation Subject to $10,000 Penalty

Within 150 days after the settlement, Natural Provisions must notify the attorney general's office that it has implemented and maintained a security program to protect personally identifiable information (PII), according to the settlement.

The store must install software that assists businesses in complying with the Payment Card Industry Data Security Standard, the settlement said. It must put in place a firewall to keep customer PII separate from the rest of the computer network, install a virtual private network for transmitting PII and protect the PII with strong passwords.

The pact prohibits Natural Provisions from storing on its network the full contents of the magnetic stripe of credit and debit cards and any PIN numbers. A portion of the contents of magnetic stripes may be stored, for short periods of time, in encrypted files.

The attorney general's office will audit the store's security measures every six months, for the next three years or the next five years if any major security problems are found. Any violation of the settlement will result in a $10,000 penalty. Within 120 days of the settlement, Natural Provisions must ensure that it is in compliance with Vermont laws pertaining to data security and must train employees about the laws.


To contact the reporter on this story: Adrianne Appel in Boston at

To contact the editor responsible for this story: Katie W. Johnson at

The assurance of discontinuance is available at

Request Bloomberg Law: Privacy & Data Security