A firm whose software is used by all Vermont cities and towns will pay the state $30,000 to settle allegations that it failed to safeguard sensitive data.
Software from the New England Municipal Resource Center, based in Fairfax, had left taxpayers' bank information and municipal employees' Social Security numbers exposed and vulnerable to theft for years, a Vermont technology consultant told Seven Days in February. Municipalities use the firm's products to compile grand lists, track accounts payable and receivable, maintain general ledgers, and administer property taxes, among other tasks.
South Burlington-based IT firm simpleroute first reported the bugs to NEMRC and then disclosed them publicly on its website. The findings raised questions about whether municipalities could safeguard data.
The Attorney General's Office said in a press release Thursday that it brought in a team of security experts from Champlain College after learning of the problems. In about an hour, they were able to crack an algorithm that the software used to encode sensitive data.
NEMRC worked quickly to address concerns, the settlement says. The firm agreed to improve its business practices, such as by developing an information security program and enhancing employee training regarding security.
The AG found no evidence of actual security breaches.
Montpelier attorney Charles Merriman, who represented NEMRC, said that the written settlement was a “fair statement of the facts.”
“NEMRC had shortcomings, and those are fixed now," he said. "And they’re fixed largely due to the fact that the AG’s office shined a light on them. So we thank them for helping us get our ship into order.”
NEMRC has been essential for running small towns in Vermont, Merriman said. "The grand list is built on NEMRC," he said, and the product has been easy to use.
“One of the reasons it’s been good is because it's been simple, and it’s been very inexpensive," he added. "It’s time for NEMRC to move on up to the 21st century.”