Vermont Security Breach Notice Act
9 V.S.A. § 2430, § 2435
SUMMARY:
EFFECTIVE. January 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any business or government agency that owns or licenses computerized data that includes Personal Information; and (2) any person or government agency that maintains computerized data that includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of and access to computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a business or government agency. A good faith acquisition of Personal Information by an employee or agent for a legitimate purpose is not a breach, if it is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
-
Social Security Number or taxpayer dentification number.
-
Driver’s license number or identification card number.
-
Account number, credit card number or debit card number if they could be used without access codes or passwords., security code, access code, or password for a financial account.
-
Passport number, Military identification card number or other government identification numbers where commonly used to verify identity for commercial transactions.
-
Biometric data.
-
Genetic information.
-
Health records and records from other wellness, health promotion, disease prevention programs, medical diagnosis, or treatment information.
-
Health insurance policy numbers.
-
Online account login credentials combined with passwords or answers to security questions permitting access to the account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected. An entity must notify the Attorney General or Department of Financial Regulation of any breach within 14 days of the date of the discovery of the breach, or the date notice was provided to the consumers, whichever is sooner, and a Preliminary description of the breach. If an entity has sworn, prior to the breach, in writing to the Attorney General that it maintains written policies and procedures to maintain the security of Personal Information and responds to a breach in a manner consistent with State law, the above must be reported to the Attorney General prior to providing notice to the consumers and the number of State consumers affected, if known, shall also be given along with the provided consumer notice. Without an order from the court of this State, notice shall not be disclosed to any person other than the Attorney General, Department, or another law enforcement officer. The Attorney General may be provided with a second copy of the consumer notice which does not show the personally identifiable information of the breach for public disclosure of the breach.
If more than 1,000 residents are involved in a breach, the business or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the business or government agency determines misuse of the Personal Information is not reasonably possible, and it provides a detailed written explanation of such determination to the Attorney General or to the Department of Banking, Insurance, Securities and Health Care Administration (“Department”) if licensed or registered with the Department under Title 8. If the business or government agency subsequently discovers that misuse of the Personal Information has occurred or is occurring, then the notice requirements of this Section shall apply.
-
A financial institution that is subject to The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice or the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach. As well as consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach and to restore the reasonable integrity, security, and confidentiality of the data system. Notification may be delayed if it will impede a criminal investigation or jeopardize national security and is requested by law enforcement. Such a request must be documented in writing either by the law enforcement agency or the business or government agency, to include the name of the officer making the request and the investigating agency. In that instance, notification will be made without unreasonable delay following written clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice must be clear and conspicuous and include each of the following, if known:
-
Description of the breach, in general terms.
-
Date of the security breach and the discovery date.
-
Types of Personal Information that was accessed or acquired.
-
Description of steps the entity took to protect the Personal Information form further breach.
-
Toll-free number the consumer may call for further information and assistance.
-
Directions for the consumer to stay vigilant by reviewing accounts and monitoring credit reports.
The Notice may be provided by one of the following methods:
-
Written (mailed to the individual’s residence).
-
Telephonic (provided contact is made directly with each affected individual and not by a prerecorded message).
-
Electronic (for those whom the business or government agency has a valid Email address). If no mailing address or telephone number is available. It is the primary means of communication is by email. The email does not request or contain a link to request Personal Information. The email warns consumers not to provide Personal Information in response to the Email regarding a security breach. Notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001.
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the business or government agency can demonstrate that the cost of providing written or telephonic notice will exceed $5,000, the affected class of persons to be notified exceeds 5,000, or the business or government agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Conspicuous posting of the notice on the website of the business or government agency if one is maintained.
-
Notification to major statewide and regional media.
NOTICE TO THIRD-PARTIES. Any business or government agency that maintains computerized data that includes Personal Information that it does not own or license, shall notify the owner or licensee of a security breach immediately following discovery, consistent with the needs of law enforcement. The business or government agency that owns or licenses the computerized data shall provide notice to the individual.
CONSEQUENCES FOR FAILING TO NOTIFY. The Attorney General, the State’s attorney and Department of Financial Regulation shall have sole authority to investigate, enforce, prosecute, and impose remedies regarding potential violations of this Section or any other applicable law or regulation.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. 9 Vt. Stat. § 2445. A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of: (1) ensuring the security and confidentiality of customer personal information; (2) protecting against any anticipated threats or hazards to the security or integrity of customer personal information; and (3) protecting against unauthorized access to or use of customer personal information that could result in substantial harm or inconvenience to any customer.
LEGISLATIVE UPDATES.
S. 284 – Signed into law on 5/18/2006, Effective 5/18/2006. Amended by H. 254.
H. 254 – Signed into law on 5/08/2012, Effective 5/8/2012.
H. 513 – Signed into law on 5/13/2013, Effective 5/13/2013.
S. 73 – signed into law 6/9/2015, Effective 7/1/2015.
S. 110 – signed into law 3/5/2020, Effective 7/1/2020.
For more information, see here: https://legislature.vermont.gov/statutes/section/09/062/02435
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.