Vermont Data Brokers
9 V.S.A. § 2430 - § 2431
9 V.S.A. § 2446 - §2447
Title 9: Commerce and Trade
Chapter 62: Protection Of Personal Information
Subchapter 1: General Provisions
§ 2430. Definitions
§ 2431. Acquisition of brokered personal information; prohibitions
Subchapter 5: Data Brokers
§ 2446. Annual registration
§ 2447. Data broker duty to protect information; standards; technical requirements
§ 2430. Definitions
As used in this chapter:
(1)(A) “Brokered personal information” means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties:
(i) name;
(ii) address;
(iii) date of birth;
(iv) place of birth;
(v) mother’s maiden name;
(vi) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
(vii) name or address of a member of the consumer’s immediate family or household;
(viii) Social Security number or other government-issued identification number; or
(ix) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
(B) “Brokered personal information” does not include publicly available information to the extent that it is related to a consumer’s business or profession.
(2) “Business” means a commercial entity, including a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but does not include the State, a State agency, any political subdivision of the State, or a vendor acting solely on behalf of, and at the direction of, the State.
(3) “Consumer” means an individual residing in this State.
(4)(A) “Data broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
(B) Examples of a direct relationship with a business include if the consumer is a past or present:
(i) customer, client, subscriber, user, or registered user of the business’s goods or services;
(ii) employee, contractor, or agent of the business;
(iii) investor in the business; or
(iv) donor to the business.
(C) The following activities conducted by a business, and the collection and sale or licensing of brokered personal information incidental to conducting these activities, do not qualify the business as a data broker:
(i) developing or maintaining third-party e-commerce or application platforms;
(ii) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
(iii) providing publicly available information related to a consumer’s business or profession; or
(iv) providing publicly available information via real-time or near-real-time alert services for health or safety purposes.
(D) The phrase “sells or licenses” does not include:
(i) a one-time or occasional sale of assets of a business as part of a transfer of control of those assets that is not part of the ordinary conduct of the business; or
(ii) a sale or license of data that is merely incidental to the business.
(5)(A) “Data broker security breach” means an unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker when the brokered personal information is not encrypted, redacted, or protected by another method that renders the information unreadable or unusable by an unauthorized person.
(B) “Data broker security breach” does not include good faith but unauthorized acquisition of brokered personal information by an employee or agent of the data broker for a legitimate purpose of the data broker, provided that the brokered personal information is not used for a purpose unrelated to the data broker’s business or subject to further unauthorized disclosure.
(C) In determining whether brokered personal information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data broker may consider the following factors, among others:
(i) indications that the brokered personal information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing brokered personal information;
(ii) indications that the brokered personal information has been downloaded or copied;
(iii) indications that the brokered personal information was used by an unauthorized person, suc as fraudulent accounts opened or instances of identity theft reported; or
(iv) that the brokered personal information has been made public.
(6) “Data collector” means a person who, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personally identifiable information, and includes the State, State agencies, political subdivisions of the State, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, and retail operators.
(7) “Encryption” means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
(8) “License” means a grant of access to, or distribution of, data by one person to another in exchange for consideration. A use of data for the sole benefit of the data provider, where the data provider maintains control over the use of the data, is not a license.
(9) “Login credentials” means a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.
(10)(A) “Personally identifiable information” means a consumer’s first name or first initial and last name in combination with one or more of the following digital data elements, when the data elements are not encrypted, redacted, or protected by another method that renders them unreadable or unusable by unauthorized persons:
(i) a Social Security number;
(ii) a driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
(iii) a financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords;
(iv) a password, personal identification number, or other access code for a financial account;
(v) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
(vi) genetic information; and
(vii)(I) health records or records of a wellness program or similar program of health promotion or disease prevention;
(II) a health care professional’s medical diagnosis or treatment of the consumer; or
(III) a health insurance policy number.
(B) “Personally identifiable information” does not mean publicly available information that is lawfully made available to the general public from federal, State, or local government records.
(11) “Record” means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
(12) “Redaction” means the rendering of data so that the data are unreadable or are truncated so that no more than the last four digits of the identification number are accessible as part of the data.
(13)(A) “Security breach” means unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information or login credentials maintained by a data collector.
(B) “Security breach” does not include good faith but unauthorized acquisition of personally identifiable information or login credentials by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personally identifiable information or login credentials are not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
(C) In determining whether personally identifiable information or login credentials have been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data collector may consider the following factors, among others:
(i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;
(ii) indications that the information has been downloaded or copied;
(iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
(iv) that the information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012; 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019; 2019, No. 89 (Adj. Sess.), § 2.)
§ 2431. Acquisition of brokered personal information; prohibitions.
(a) Prohibited acquisition and use.
(1) A person shall not acquire brokered personal information through fraudulent means.
(2) A person shall not acquire or use brokered personal information for the purpose of:
(A) stalking or harassing another person;
(B) committing a fraud, including identity theft, financial fraud, or e-mail fraud; or
(C) engaging in unlawful discrimination, including employment discrimination and housing discrimination.
(b) Enforcement.
(1) A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.
(2) The Attorney General has the same authority to adopt rules to implement the provisions of this section and to conduct civil investigations, enter into assurances of discontinuance, bring civil actions, and take other enforcement actions as provided under chapter 63, subchapter 1 of this title. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)
§ 2446. Annual registration.
(a) Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall:
(1) register with the Secretary of State;
(2) pay a registration fee of $100.00; and
(3) provide the following information:
(A) the name and primary physical, e-mail, and Internet addresses of the data broker;
(B) if the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data:
(i) the method for requesting an opt-out;
(ii) if the opt-out applies to only certain activities or sales, which ones; and
(iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer’s behalf;
(C) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;
(D) a statement whether the data broker implements a purchaser credentialing process;
(E) the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches;
(F) where the data broker has actual knowledge that it possesses the brokered personal information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors; and
(G) any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(b) A data broker that fails to register pursuant to subsection (a) of this section is liable to the State for:
(1) a civil penalty of $50.00 for each day, not to exceed a total of $10,000.00 for each year, it fails to register pursuant to this section;
(2) an amount equal to the fees due under this section during the period it failed to register pursuant to this section; and
(3) other penalties imposed by law.
(c) The Attorney General may maintain an action in the Civil Division of the Superior Court to collect the penalties imposed in this section and to seek appropriate injunctive relief. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)
§ 2447. Data broker duty to protect information; standards; technical requirements.
(a) Duty to protect personally identifiable information.
(1) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:
(A) the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program;
(B) the amount of resources available to the data broker;
(C) the amount of stored data; and
(D) the need for security and confidentiality of personally identifiable information.
(2) A data broker subject to this subsection shall adopt safeguards in the comprehensive security program that are consistent with the safeguards for protection of personally identifiable information and information of a similar character set forth in other State rules or federal regulations applicable to the data broker.
(b) Information security program; minimum features. A comprehensive information security program shall at minimum have the following features:
(1) designation of one or more employees to maintain the program;
(2) identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including:
(A) ongoing employee training, including training for temporary and contract employees;
(B) employee compliance with policies and procedures; and
(C) means for detecting and preventing security system failures;
(3) security policies for employees relating to the storage, access, and transportation of records containing personally identifiable information outside business premises;
(4) disciplinary measures for violations of the comprehensive information security program rules;
(5) measures that prevent terminated employees from accessing records containing personally identifiable information;
(6) supervision of service providers, by:
(A) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and
(B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information;
(7) reasonable restrictions upon physical access to records containing personally identifiable information and storage of the records and data in locked facilities, storage areas, or containers;
(8)(A) regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personally identifiable information; and
(B) upgrading information safeguards as necessary to limit risks;
(9) regular review of the scope of the security measures:
(A) at least annually; or
(B) whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personally identifiable information; and
(10)(A) documentation of responsive actions taken in connection with any incident involving a breach of security; and
(B) mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personally identifiable information.
(c) Information security program; computer system security requirements. A comprehensive information security program required by this section shall at minimum, and to the extent technically feasible, have the following elements:
(1) secure user authentication protocols, as follows:
(A) an authentication protocol that has the following features:
(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and format that do not compromise the security of the data they protect;
(iv) restricting access to only active users and active user accounts; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access; or
(B) an authentication protocol that provides a higher level of security than the features specified in subdivision (A) of this subdivision (c)(1);
(2) secure access control measures that:
(A) restrict access to records and files containing personally identifiable information to those who need such information to perform their job duties; and
(B) assign to each person with computer access unique identifications plus passwords, which are not vendor-supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls or a protocol that provides a higher degree of security;
(3) encryption of all transmitted records and files containing personally identifiable information that will travel across public networks and encryption of all data containing personally identifiable information to be transmitted wirelessly or a protocol that provides a higher degree of security;
(4) reasonable monitoring of systems for unauthorized use of or access to personally identifiable information;
(5) encryption of all personally identifiable information stored on laptops or other portable devices or a protocol that provides a higher degree of security;
(6) for files containing personally identifiable information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personally identifiable information or a protocol that provides a higher degree of security;
(7) reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive the most current security updates on a regular basis or a protocol that provides a higher degree of security; and
(8) education and training of employees on the proper use of the computer security system and the importance of personally identifiable information security.
(d) Enforcement.
(1) A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.
(2) The Attorney General has the same authority to adopt rules to implement the provisions of this chapter and to conduct civil investigations, enter into assurances of discontinuance, and bring civil actions as provided under chapter 63, subchapter 1 of this title. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)
For more information, see here: https://legislature.vermont.gov/statutes/chapter/09/062
AND
https://sos.vermont.gov/corporations/other-services/data-brokers/
These materials were obtained directly from the State Legislative website and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.