Vermont's Attorney General is trying to remove any lingering doubts about whether states are taking payment breach disclosure laws seriously.
The state has moved against the Embassy Suites hotel chain after one of its hotels was breached, affecting about 17 customers. Neither the state Attorney General's Office nor any of the Vermont victims were notified within the state-set time limits.
The message from Vermont is clear: even a small delay, involving a very small breach, will still be prosecuted.
According to the document the AG's office filedofficially called an Assurance Of Discontinuance (AOD)the hotel incident began in July 2013, when 17 customers "reported unauthorized charges on the credit cards they previously had used at the hotel. On Oct. 8, 2013, employees of the hotel discovered and removed two devices, commonly called 'keyloggers,' on two front desk workstations."
The hotel notified the Vermont Attorney General's office on Feb. 5, 2014, more than six months after the hotel chain learned of the incident, the filing said. Vermont's Security Breach Notification Act requires that the AG be notified within 14 days.
Affected consumers were notified on Feb. 7, 2014, even though the act requires that consumers be notified in the "most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery," the state filing said.
The AG's officially formally concluded that Embassy Suites didn't come close to abiding by the law. "The Attorney General alleges that, upon discovering the vulnerability, the San Francisco Embassy Suites failed to act in the most expedient time possible to determine the source of the breach and that the delay was not reasonable."
The hotel chain agreed to be covered under a five-year agreement that says it will abide by the law and face a $5,000 fine for each further incident.