Vermont Data Breach Notification Statute Summary

Subject Entities

Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personally identifiable information or login credentials. Certain entities may be exempted from particular or all provisions of the law.

Definition of Personally Identifiable Information

1. First name or first initial and last name, in combination with one or more of the following unencrypted or unredacted data sets:

• Social Security number;
• Driver’s license number or non-driver identification card number;
• Financial account, credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
• Passwords or personal identification numbers or other access codes for a financial account;
• Taxpayer dentification number
• Passport number
• Military identification card number
• Other government identification numbers where commonly used to verify identity for commercial transactions
• Biometric data;
• Genetic information;
• Health records and records from other wellness programs, health promotion, or disease prevention programs;
• Medical diagnosis or treatment information; and
• Health insurance policy numbers.

2. Also includes online account login credentials where combined with passwords or answers to security questions permitting access to the account.

Definition of Breach

Unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of personal information or login credentials maintained by an entity, excluding certain good faith acquisitions. 

Type of Data Covered

Electronic.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, redacted, or protected by another method that renders it unreadable or unusable by unauthorized persons. 

Risk of Harm Analysis

Notification is not required if the entity establishes that misuse of the personally identifiable information or login credentials is not reasonably possible, and provides notice of and a detailed explanation of its determination to the Attorney General or the Department of Financial Regulation (if licensed or regulated by the Department).

If the entity subsequently obtains facts indicating that misuse of personally identifiable information or login credentials has occurred, consumer and regulatory notice must then be provided.

Consumer Notice Requirements

Timing: Must be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system. 

Content: Notice involving personally identifiable information must be clear and conspicuous, and include a description of each of the following, if known:

• The incident in general terms;
• The type of personal information that was subject to the breach;
• The general acts taken to protect the personal information from further security breach;
• A telephone number, toll-free if available, that the consumer may call for further information and assistance;
• Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and
• The approximate date of the security breach. 

Method:

Written notice mailed to residence; live telephonic notice made directly with each Vermont resident ; or electronic notice if the entity has a valid email address for the resident and: (1) it is consistent with the provisions regarding electronic records and signatures set forth in E-SIGN; or (2) the entity’s primary method of communication with the resident is by electronic means, the electronic notice does not request or contain a link to a request that the consumer provide personal information, and it conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches.

If a breach is limited to login credentials for an online account, notice of the breach must be provided to the consumer electronically or through one or more of the methods described above and shall advise theconsumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.

If a breach is limited to login credentials for an email account, notice of the breach must not be provided through the email account. The entity must provide notice through one of the methods described above or by clear and conspicuous notice delivered to the consumer online in which the entity knows the consumer customarily accesses.

Substitute Notice Requirements

Substitute notice may be provided if the cost of providing notice would exceed $10,000, or the entity does not have sufficient contact information. Substitute notice must consist of all of the following:

• Conspicuous posting the notice on the entity’s Internet webpage, if it maintains one; and
• Notification to major statewide and regional media.

Delayed Notice Requirements

Notification may be delayed if law enforcement determines that notice will impede a criminal, national, or Homeland Security investigation or jeopardize public safety or national or Homeland Security interests. When law enforcement makes a request for delay but does not put in writing, the entity must document the request contemporaneously in writing, including the name of the officer and the agency making the request. 

Government Notice Requirements

Must provide notice to the Attorney General or Department of Financial Regulation:

• Within 14 business days of the date the entity discovers the breach or the date provided to consumers, whichever is sooner.
• If notice of breach is provided to consumers, notification to the AG or Department should include: the number of Vermont residents affected, if known, and provide a copy of notice sent to consumers.
• Entity must give the date the breach occurred, the date the breach was discovered, and a description of the breach. If the date of the breach is not known, the entity must send notice to the Attorney General or the Department of Financial Regulation as soon  as the date becomes known.
• If regulated by the Department of Financial Regulation, then must provide notice to the Department. All other entities must provide notice to the Attorney General.
• Any Entity that has, prior to the breach, sworn in writing on a form and in a manner prescribed by the AG that it maintains written policies and procedures to maintain the security of PI and respond to breaches in a manner consistent with state law shall notify the AG before providing notice to consumers.If the breach is limited to the unauthorized acquisition of login credentials, notice is only required to the Attorney General or Department of Financial Regulation if the login credentials were acquired directly from the entity or its agent.

Third Party Notice Requirements

If personal information is maintained on behalf of another entity, the entity must be notified immediately following discovery of a breach.

Consumer Reporting Agency Obligations

If more than 1,000 residents are notified, the entity must also notify without unreasonable delay all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

Potential Penalties

The Attorney General or the Department of Financial Regulation may seek to investigate and enforce the law, including imposing civil penalties.

Notification Requirements for Government Agencies

Please see the statute for specific requirements and/or penalties for applicable government agencies.