Attorney General T.J. Donovan announced a settlement with the New England Municipal Resource Center (NEMRC) regarding serious data security problems in its municipal management software. This software is used by every city and town in Vermont. To resolve allegations that its lack of data security violated the Vermont Consumer Protection Act, NEMRC has agreed to improve many of its business practices, such as developing an Information Security Program and enhancing employee training regarding security. NEMRC will also pay a penalty of $30,000.
The data security problems identified by the Attorney General’s Office include failing to use appropriate encryption in storing sensitive information like passwords, social security numbers, and banking information. In addition, NEMRC’s cloud server lacked appropriate security such as antivirus or endpoint security software, or appropriate logging of access attempts. The Office saw no evidence of security breaches at any municipality as a result of the software, but could not rule out the possibility of an undiscovered breach, due to the lack of logging or security monitoring.
“Our first priority was to ensure that the software was secure in order to protect Vermont’s citizenry and the safe operation of its cities and towns,” said Attorney General Donovan. Upon being made aware of security concerns, the Attorney General’s Office reached out to NEMRC and, with the assistance of a team of security experts from Champlain College, was able to help NEMRC address its most serious security issues.
“Small businesses are integral to the economic vitality and culture of Vermont, and I want to encourage those businesses to ensure they are protecting Vermonters’ data privacy,” said Attorney General Donovan. Resources for small businesses in maintaining basic data privacy standards can be found on the Attorney General’s website under Privacy and Data Security.
Whether or not a breach occurred, Vermonters should protect themselves from security breaches and fraud attempts. You can do this by reviewing all credit card statements and credit reports for errors or new accounts. If you are concerned that your data may have been compromised, implement a freeze with the major credit reporting agencies. More information about preventing identity theft and fraud can be found on Vermont’s Consumer Assistance Program website.
A copy of the settlement can be found here.