Vermont Information Security Standards Summary

Subject Entities

“Data Brokers” defined as a business, or unit(s) of business, that knowingly collect sell or license to third parties the brokered personal information  of a resident with whom the business does not have a direct relationship.

Examples of a direct relationship include a past or present: customer, client, etc., of the business’s goods or services; employee, contractor, or agent of the business; investor in the business; or donor to the business.

Security Standard

Must develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards and is appropriate to the size, scope and type of the entity’s business, the amount of available resources, the amount of stored data, and the need for security and confidentiality of personally identifiable information. 

Disposal/Destruction Standard

None. 

Types of Data Covered

Electronic or paper.

Definitions

“Personally Identifiable Information”  is a individual’s first name or first initial and last name, in combination with one or more of the following unencrypted or unredacted data sets:

• Social Security number;
• Driver’s license number or non-driver identification card number;
• Financial account, credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
• Account passwords or personal identification numbers or other access codes for a financial account.
• Taxpayer dentification number
• Passport number
• Military identification number
• Other government identification numbers where commonly used to verify identity for commercial transactions
• Biometric data;
• Genetic information;
• Health records and records from other wellness, health promotion, or disease prevention programs;
• Medical diagnosis or treatment information; and
• Health insurance policy number.

“Brokered Personal Information” means one or more of the following data elements about a consumer, if categorized or organized for dissemination to third parties:

• Name;
• Address;
• Date of birth;
• Place of birth;
• Mother’s maiden name;
• Biometric data;
• Name or address of a member of the consumer’s immediate family or household;
• Social Security number or other government-issued identification number; or
• Other information that, alone or in combination with the other in-formation sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.

“Security Breach” means unauthorized acquisition of electronic data, or reasonable belief of such acquisition, that compromises the security, confidentiality, or integrity of a consumer’s PII or login credentials maintained by a data collector.

Methods of Compliance

An entity’s comprehensive information security program is required to have the following features at a minimum:

• Minimum Information Security Features
  • Designation of employee(s) to maintain the program; 
  • Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personally identifiable in-formation, and a process for evaluating and improving the current safeguards for limiting such risks, including:
    • ongoing employee training;
    • employee compliance; and
    • means for detection and prevention of  security failures;
  • Policies for storage, access, and transportation of personally identifiable information outside business premises;
  • Disciplinary measures for violations;
  • Prevention measures for access to personally identifiable information by terminated employees; 
  • Supervision of third-party service providers, relating to: 
    • selection and maintenance of service providers capable of maintaining appropriate security consistent with applicable law; and 
    • contractual requirements for appropriate security measures for personally identifiable information;
  • Reasonable physical restrictions  to personally identifiable information; 
  • Regular program monitoring and upgrading to limit risks and ensure reasonable prevention of  unauthorized use of personally identifiable information; 
  • Review of the security measures annually and whenever there is a material change in business practices implicating personally identifiable information.; and
  • Documentation of responsive actions for any security breach and mandatory post-incident review of events and responsive changes in business actions if any. 
• Minimum Computer System Security Requirements
  • A secure authentication protocol that has the following features: 
    • control of user IDs and other identifiers; 
    • a reasonably secure method of password selection and assignment, or use of unique identifier technologies; 
    • control of passwords to in a location and format that do not compromise security; 
    • access restriction to active users and accounts; and 
    • blocking access to user identification after multiple unsuccessful attempts to gain access.
• Secure access control measures that: 
  • restrict access to personally identifiable information to employees who need access to complete job duties; and 
  • assign unique identifications and passwords reasonably designed to maintain the integrity of the security of the access controls or a protocol that provides a higher degree of security. 
    • Encryption of personally identifiable information that will travel across public networks or be transmitted wirelessly; 
    • Reasonable monitoring of systems for unauthorized use of or access to personally identifiable information; 
    • Encryption of all personally identifiable information stored on laptops or other portable devices; 
    • Where personally identifiable information is maintained on a system connected to the Internet, firewall protection and operating system security patches reasonably designed to maintain the integrity of the information; 
    • System security agent software with malware protection, patches and virus definitions; and 
    • Employee education and training on the proper use of the computer security system and the importance of personally identifiable information security. 

Enforcement

The Attorney General has authority to implement this statute, conduct civil investigations, enter into assurance of discontinuance, and bring civil actions for violations. 

Penalties

Violation of the statute is an unfair and deceptive act.