A small country store just got fined $3,000 for failing to report a data security breach.

Vermont Attorney General (AG) Bill Sorrell explained why his office targeted Shelburne Country Store in Shelburne, Vermont. "At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach."

According to the AG's office, "In late 2013, the company’s website was hacked and credit card information stolen. Upon being informed of the breach in January 2014, the company quickly fixed the problem, but did not notify" the store's 721 internet buyers of the breach until being contacted by Sorrell's office.

Vermont’s data security law requires companies suffering a breach to notify the AG’s office within 14 days.

Sorrell discussed the importance of states and state AGs in data security protection back in February (MRA members only), concluding that companies should work closely with the AG's office: “The longer you wait, the more suspicions you raise.”

Recommendations for survey, opinion and marketing researchers
A data breach can cost a U.S. company an average of almost $6 million, according to a recent study -- almost entirely from lost business, not from fines or lawsuits. Breaches can also cost corporate leadership their jobs, as the CEO of Target learned in May.

The research profession -- uber-reliant on respondents’ good will and interest in sharing data -- needs to keep that fact top of mind when designing and implementing security protocols for their systems and arrangements with their business partners and vendors.

Research professionals should:

  1. Mind the California Attorney General's cybersecurity best practices and her recommended data security practices;
  2. Designate a privacy officer for your organization;
  3. Review the states’ varying data security laws, including Vermont's (obviously) and the new law in Kentucky;
  4. Work to involve all research company and organization employees in data security efforts; and
  5. Use our checklist as a guide to prepare for responding to a hypothetical data breach.

This information should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.