[A] small company that provides software for about 200 Vermont municipalities as well as the Vermont Tax Department will pay $30,000 as part of a settlement with the Vermont Attorney Generalโs Office.
New England Municipal Resource Center, or NEMRC, creates and maintains the software that cities and towns use for managing functions such as utility bills, tax bills, land records, and dog licenses. The company was started by Ernie Saunders at his home in Fairfax in 1984, and Saunders still runs the company from his home, now with 23 employees.
Last year, IT consultant Brett Johnson of the software company simpleroute wrote a research paper outlining flaws in the software that could leave cities and towns vulnerable to theft of personal and financial information. He also notified the Attorney Generalโs Office. In an interview with VTDigger in February, Saunders confirmed that there were vulnerabilities.
On Thursday, the Attorney Generalโs Office said Saunders had agreed to improve its security and training and to pay $30,000 in five monthly installments to resolve allegations that its lack of data security violated the Vermont Consumer Protection Act.
The AGโs office said in a statement that NEMRC failed to use appropriate encryption in storing sensitive information like passwords, social security numbers, and banking information. The companyโs cloud server lacked antivirus or endpoint security software, or appropriate logging of access attempts.
โThe Attorney Generalโs investigative team was able to decode Respondentโs algorithm in an hour of focused effort,โ the office said in the settlement. The AGโs office worked on the case with a team of forensic experts from Champlain College in Burlington.
The investigators didnโt see evidence of security breaches, the statement said. But โdue to the lack of logging and other basic threat-detection methods, it would not be possible to detect many types of security breaches that may have occurred,โ the settlement said.
Johnson said he became aware of the NEMRC flaws after he was hired to do IT work for two Vermont towns in 2017. He said he found it would be easy for a hacker to gain access to municipal workersโ Social Security numbers and to their banking and routing information. Some of that information had been available on city and town websites since 2006, he said.
He said Tuesday that he was disappointed NEMRC would continue to use the discontinued Microsoft program Visual FoxPro that was created in 1984. Microsoft long ago stopped providing support for the program. Johnson knows of one town that has stopped using NEMRC for its payroll services because of the security problems. But NEMRCโs service is less expensive than national ones with more security, and cities and towns are looking for ways to save money.
โA lot of municipalities look at โWhat does it cost?โ versus what do they need,โ Johnson said. โWeโve left it to everyone to self-regulate, and the smaller municipalities arenโt doing their due diligence because they donโt have the funds or the ability to do so.โ
NEMRC referred questions about the settlement to Montpelier attorney Charles Merriman, who said that the company would pay the $30,000 and implement the changes outlined in the settlement.
โWe still think the law itself didnโt support the decision of the AGโs office and the AGโs office still thinks the law itself supports its decision, but in the end it doesnโt really matter, because the key thing is that we want to have our house in order, and the AGโs office was very helpful and they found some issues that we needed to address,โ Merriman said. โAt the end weโve got a really good system now. It has been significantly improved as a consequence of this experience.โ
Johnson said he tried to talk to state lawmakers last year to see if any would be interested in working on law that would require that potential breaches be reported to users.
โThey effectively ignored me,โ he said.
The state of Vermont Tax Department uses NEMRC to compile grand list information, John Quinn, the secretary of the stateโs Agency of Digital Services, said in February. Quinn said the agency put out a request for a new provider before Johnson called attention to the problems with NEMRC.
Johnson said the state needs to establish statewide standards for data security.
โThe goal is not a settlement; itโs not to extract damages or penalties,โ he said. โThe goal is a safer security landscape in the state of Vermont.โ
