The Vermont Attorney General (AG) recently announced that it has settled with SAManage USA, a business support services company, for failing to timely notify 660 Vermont residents that their names and Social Security numbers were accessible through the online search engine Bing.
In July of 2016, an employee of SAManage attached an excel spreadsheet containing the names and Social Security numbers of 660 individuals to a job ticket for its support system relating to the Vermont health exchange, Vermont Health Connect. The employee assigned the job ticket a unique url, and as it was processed by the vendor, it was indexed by Bing and thereafter displayed when searched.
A resident conducting an Internet search found the excel spreadsheet containing the Social Security numbers and contacted the Vermont Attorney General’s office. The AG alerted AWS and requested that the spreadsheet be removed, and AWS then alerted SAManage of the incident. Although SAManage was advised of the incident on July 25, 2016, it did not notify the AG or those affected within the time limits required by the Vermont data breach notification law, which is 14 days to notify the AG and 45 days to notify the individuals.
SAManage was alerted by AWS on July 25, 2016, and the AG and residents weren’t notified of the incident until late September 2016.
SAManage has agreed to pay $264,000 for failing to notify within the time limits required by the statute and to implement a comprehensive information security program.
This case is a reminder that state Attorneys General enforce individual state breach notification laws and that each state law has different requirements regarding the timing of notification.