Vermont Settles with B2B Software Developer over Security Practices

Alysa Hutnik
Kelley Drye & Warren LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Yesterday, the Vermont Attorney General announced a settlement with business-to-business software developer Entrinsik, Inc., resolving allegations that the company’s Informer program violated Vermont law, including the law placing restrictions on the use and disposal of data containing Social Security numbers.

The Informer program is used by businesses, including seven colleges in Vermont, to analyze and create reports of data by extracting that data from databases and presenting it in a web browser. The program also, however, creates a plain-text, unsecured file of this extraction and stores it on program users’ local hard drives, allegedly without their knowledge. According to the Attorney General, in 2013, a Vermont college used Informer to generate a report with 14,000 Social Security numbers. The text file extraction was stored on the computer’s local hard drive and backed up to an external hard drive, which was then misplaced, triggering Vermont’s data breach notification statute, and likely the investigation into Extrinsik and the Informer program.

Under the terms of the settlement agreement, Entrinsik has agreed to take the following actions:

  • Add clear and conspicuous warnings in all user and instructional materials of the functionality that creates plain-text files.
  • Add the following conspicuous warning message to the export dialog: “Note: Exporting data may result in the creation of unsecure/unencrypted temporary or permanent files on your computer. Please contact your system administrator with any questions regarding the proper safeguarding of sensitive information.
  • Issue, and strongly recommend the application of, a patch or other software update to all business consumers in Vermont that includes the new warning.

Importantly, the Attorney General noted that he was not imposing a monetary penalty because he believes the practice of creating “temporary” plain-text files is widespread, “and many companies may not even realize that [it] could violate State law.” This settlement serves as a reminder that companies should evaluate the functionalities of the programs they develop and use to confirm their compliance with applicable data security laws and regulations.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Kelley Drye & Warren LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide