Vermont


9 V.S.A. §§ 2430, 2435

S. 284 (signed into law May 18, 2006, Act 162) Amended by H. 254 (signed into law May 8, 2012, Act 109).

Effective May 8, 2012.

H. 513 (signed into law May 13, 2013)

Effective May 13, 2013 

Application.  Any data collector, including, but not limited to, the state, state agencies, political subdivisions of the state, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic PI (Entity), that owns or licenses computerized PI that includes PI concerning an individual residing in VT.

Security Breach Definition
.  Unauthorized acquisition of electronic data or a reasonable belief of such unauthorized acquisition that compromises the security, confidentiality, or integrity of PI maintained by an Entity.
    • Does not include good-faith but unauthorized acquisition or access of PI by an employee or agent of the Entity for a legitimate purpose of the Entity, provided that the PI is not used for a purpose unrelated to the Entity’s business or subject to further unauthorized disclosure.
To determine whether this definition applies, any Entity may consider the following factors (among others):
    • Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;

    • Indications that the information has been downloaded or copied;

    • Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

    • That the information has been made public.
Notification Obligation.  An Entity shall notify affected individuals residing in VT that there has been a security breach following discovery or notification to the Entity of the breach.
    • Notice of a security breach is not required if the Entity establishes that misuse of PI is not reasonably possible and the Entity provides notice of the determination that the misuse of the PI is not reasonably possible and a detailed explanation for said determination to the VT AG or to the Department of Banking, Insurance, Securities, and Health Care Administration in the event that the Entity is a person or entity licensed or registered with the Department.
Notification to Consumer Reporting Agencies. In the event an Entity is required to provide notice to more than 1,000 residents of VT at one time, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.  This subsection shall not apply to a person who is licensed or registered under Title 8 by the department of banking, insurance, securities, and health care administration.

Attorney General/Agency Notification. An Entity shall notify the AG or Department of Financial Regulation of any breach within 14 days of the date the Entity discovers the breach or the date the Entity provides notice to consumers, whichever is sooner.

Any Entity that has, prior to the breach, sworn in writing on a form and in a manner prescribed by the AG that the Entity maintains written policies and procedures to maintain the security of PI and respond to breaches in a manner consistent with state law shall notify the AG before providing notice to consumers. Notice to the AG shall contain the date the breach occurred, the date the breach was discovered, and a description of the breach. If the date of the breach is unknown, then the Entity shall send notice to the AG as soon as the date becomes known. 

If an Entity provides notice of the breach to consumers, the Entity shall notify the AG or the Department of the number of Vermont affected, if known, and shall provide a copy of the notice that was provided to consumers. An Entity may also send the AG or Department a second copy of the notice to consumers that redacts the type of PI breached for any public disclosure of the breach.

Third-Party Data Notification.  Any Entity that maintains or possesses computerized data containing PI of an individual residing in VT that the Entity does not own or license or any Entity that conducts business in VT that maintains or possesses records or data containing PI that the Entity does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.

Timing of Notification.  Notice of the breach shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery of the breach, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Personal Information Definition.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:
    • Social Security Number;

    • Motor vehicle operator’s license number or nondriver identification card number;

    • Account number or credit card number or debit card number if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or

    • Account passwords or personal identification numbers or other access codes for a financial account.
PI does not mean publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. The notice to a consumer shall be clear and conspicuous and include a description of each of the following, if known to the Entity:
    • The incident in general terms;

    • The type of PI that was subject to the security breach;

    • The general acts of the Entity to protect the PI from further security breach;

    • A toll-free telephone number (toll-free, if available) that the consumer may call for further information and assistance; and

    • Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and

    • The approximate date of the security breach.
Notice may be provided by one of the following methods:
    • Written notice mailed to the individual’s residence;

    • Telephonic notice, provided that telephonic contact is made directly with each affected resident of VT, and the telephonic contact is not through a prerecorded message; or

    • Electronic notice, for those individuals for whom the Entity has a valid e-mail address if: (i) the Entity does not have the individual’s address or telephone contact information, the Entity’s primary method of communication with the individual is by electronic means, the electronic notice does not request or contain a hypertext link to a request that the individual provide PI, and the electronic notice conspicuously warns individuals not to provide PI in response to electronic communications regarding security breaches; or (ii) the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act). 
Substitute Notice Available.  If the Entity demonstrates that the cost of providing written or telephonic notice to affected residents would exceed $5,000, or that the affected class of affected residents to be provided written or telephonic notice exceeds 5,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
    • Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and

    • Notification to major statewide and regional media.
Exception: Compliance with Other Laws.
    • A financial institution that is subject to the following guidance, and any revisions, additions, or substitutions relating to said interagency guidance shall be exempt from this section: (i) The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or (ii) Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration.
Other Key Provisions:
    • Delay for Law Enforcement. The required notice to a consumer shall be delayed upon request of a law enforcement agency. A law enforcement agency may request the delay if it believes that notification may impede a law enforcement investigation, or a national or homeland security investigation, or jeopardize public safety or national or homeland security interests. In the event law enforcement makes the request in a manner other than in writing, the Entity shall document such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The Entity shall provide the required notice without unreasonable delay upon receipt of a written communication, which includes facsimile or electronic communication, from the law enforcement agency withdrawing its request for delay.

    • AG Enforcement.

    • Waiver Not Permitted.