9 Vt. Stat. Ann. § § 2430; 2447 |
---|
Subject Entities |
“Data Brokers” defined as a business, or unit(s) of business, that knowingly collect sell or license to third parties the brokered personal information of a resident with whom the business does not have a direct relationship. Examples of a direct relationship include a past or present: customer, client, etc., of the business’s goods or services; employee, contractor, or agent of the business; investor in the business; or donor to the business. |
Security Standard |
Must develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards and is appropriate to the size, scope and type of the entity’s business, the amount of available resources, the amount of stored data, and the need for security and confidentiality of personally identifiable information. |
Disposal/Destruction Standard |
None. |
Types of Data Covered |
Electronic or paper. |
Definitions |
“Personally Identifiable Information” is a individual’s first name or first initial and last name, in combination with one or more of the following unencrypted or unredacted data sets:
“Brokered Personal Information” means one or more of the following data elements about a consumer, if categorized or organized for dissemination to third parties:
“Security Breach” means unauthorized acquisition of electronic data, or reasonable belief of such acquisition, that compromises the security, confidentiality, or integrity of a consumer’s PII or login credentials maintained by a data collector. |
Methods of Compliance |
An entity’s comprehensive information security program is required to have the following features at a minimum:
|
Enforcement |
The Attorney General has authority to implement this statute, conduct civil investigations, enter into assurance of discontinuance, and bring civil actions for violations. |
Penalties |
Violation of the statute is an unfair and deceptive act. |
Last updated: January 2024