The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Vermont
Data Breach Notification Statute
Highlights
Covered Entities: Any data collector, including the State, State agencies, political subdivisions of the State, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, and retail operators, and other entities who handles, collects, disseminates, owns or licenses computerized personally identifiable information or login credentials
Consumer Notification: Notification must be provided to any Vermont resident whose unencrypted, unredacted, or unprotected personal information was or is reasonably believed to have been acquired without authorization.
Regulatory Notification: Notification must be provided to the Vermont Attorney General or the Department of Financial Regulation, as applicable when any Vermont resident is required to be notified of a breach.
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery…”
Data Format: Electronic.
Citations: 9 V.S.A. § 2430, 2435
More Details
Definitions:
- Breach: Unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer’s PI or login credentials maintained by a data collector.
- Personal Information (PI):
- An individual’s first name or first initial and last name in combination with one or more of the following data elements that are unencrypted, unredacted, or unprotected by another method that renders them unreadable or unusable by unauthorized persons:
- Social Security number;
- Driver’s license or nondriver State identification card number;
- Individual taxpayer identification number;
- Passport number;
- Military identification card number;
- Other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
- Financial account number or credit or debit card number, with or without additional identifying information, access codes, or passwords;
- Unique biometric data;
- Genetic information;
- Health records or records of a wellness program or similar program of health promotion or disease prevention;
- Medical information;
- Health insurance information.
- Online account login credentials including a username or email address, in combination with a password or an answer to a security question that would permit access to an online account.
- An individual’s first name or first initial and last name in combination with one or more of the following data elements that are unencrypted, unredacted, or unprotected by another method that renders them unreadable or unusable by unauthorized persons:
- Medical Information:
- Health records or records of a wellness program or similar program of health promotion or disease prevention; or
- A health care professional’s medical diagnosis or treatment of the consumer.
- Health Insurance Information: Health insurance policy number.
Safe Harbors:
- Encryption: Notification is not required where the potentially impacted PI was encrypted, redacted, or protected by another method that renders the PI unreadable or unusable by unauthorized persons.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for a legitimate purpose, provided that the PI or login credentials are not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if the data collector establishes that misuse of PI or login credentials is not reasonably possible and the data collector provides notice of that determination to the Attorney General or the Department of Financial Regulation.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation, or a national or Homeland Security investigation, or jeopardize public safety or national or Homeland Security interests. In the event law enforcement makes the request for a delay in a manner other than writing, the data collector must document such requests contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation.
Direct Notice:
- Timing: Notification of the security breach shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification, consistent with the legitimate needs of the law enforcement agency, as provided in subdivisions (3) and (4) of this subsection, or with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data systems.
- Format: Notice to a consumer shall be clear and conspicuous.
- Content: The notice shall include a description of each of the following, if known to the data collector:
- The incident in general terms;
- The type of personally identifiable information that was subject to the security breach;
- The general acts of the data collector to protect the personally identifiable information from further security breach;
- A telephone number, toll-free if available, that the consumer may call for further information and assistance;
- Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and
- The approximate date of the security breach.
- Method: A data collector may provide notice of a security breach to a consumer in one of more of the following methods:
- Direct notice, which may be by one of the following methods:
- Written notice mailed to the consumer’s residence;
- Electronic notice, for those consumers for whom the data collector has a valid e-mail address if:
- the data collector’s primary method of communication with the consumer is by electronic means, the electronic notice does not request or contain a hypertext link to a request that the consumer provide personal information, and the electronic notice conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches; or
- the notice is consistent with the provisions regarding electronic records and signatures for notices; or
- telephonic notice, provided that telephonic contact is made directly with each affected consumer and not through a prerecorded message.
- Direct notice, which may be by one of the following methods:
Substitute Notice:
An entity may provide substitute notice if (1) the data collector demonstrated that the lowest cost of providing notice to affected consumers among written, email, or telephonic notice would exceed $10,000.00; or (2) the data collector does not have sufficient contact information. Substitute notice must be provided by conspicuously posting the notice of the data collector’s website if the data collector maintains one; and notifying major statewide and regional media.
Remediation Services:
N/A
Regulatory Notice:
Notification must be provided to the Vermont Attorney General or Department of Financial Regulation within 14 business days the date the entity discovers the breach or the date notification is provided to consumers, whichever is sooner. An entity, prior to the breach, who has sworn in writing on a form and in a manner prescribed by the Attorney General that the entity maintains written policies and procedures to maintain the security of PI or login credentials and respond to a breach in a manner consistent with Vermont law must notify the Attorney General of:
- the date of the security breach;
- the date of discovery of the breach; and
- a description of the breach prior to providing notice of the breach to consumers.
If the date of the breach is unknown, then the entity must send notice to the Attorney General as soon as the date becomes known.
If the entity provides notice of a breach to consumers, the entity must provide notice to the Attorney General or Department containing:
- the number of Vermont residents affected, if known; and
- a copy of the consumer notice.
If a security breach is limited to an unauthorized acquisition of login credentials, a data collector is only required to provide notice of the security breach to the Attorney General or Department of Financial Regulation, as applicable, if the login credentials were acquired directly from the data collector or its agent.
Credit Reporting Agencies Notice:
If the entity provides notice to more than 1,000 persons, the entity must notify, without unreasonably delay, all consumer reporting agencies of the timing, distribution, and content of the notice.
Third-Party Notice:
Any data collector that maintains or possesses computerized data containing PI or login credentials that the data collector does not own or license must notify the owner or licensee of the information of the PI of a “breach” immediately following discovery.
HIPAA:
A “covered entity” for purposes of the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with relevant notice content requirements if (1) the data collector experienced a “breach” that is limited to health records or records of wellness programs or similar program of health promotion or disease prevention, a health care professional’s medical diagnosis or treatment of the consumer, of a health insurance policy number and (2) the data collector provides notice to affected consumers pursuant to the requirements of HIPAA.
Private Action:
Civil penalties may be imposed by the Vermont Attorney General or the Department of Financial Regulation after an investigation.
Associated Regulations:
- Information Security Standard (9 V.S.A. § 2447)
Information Security Standard
Highlights
Covered Entities: Any entity that is in the business of disposing of personal financial information that conducts business in Vermont or disposes of personal information of residents of Vermont.
First Party Security Standard: Must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.
Third-Party Security Standard: Data Brokers: A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one (1) or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the data broker obligated to safeguard the PI under such comprehensive information security program; the amount of resources available to the data broker; the amount of stored data; and the need for security and confidentiality of PI.
Disposal/Destruction Standard: A business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of:
- Ensuring the security and confidentiality of customer personal information;
- Protecting against any anticipated threats or hazards to the security or integrity of customer personal information; and
- Protecting against unauthorized access to or use of customer personal information that could result in substantial harm or inconvenience to any customer.
An entity that is in the business of disposing of personal financial information that conducts business in Vermont or disposes of personal information of residents of Vermont must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.
Data Format: Electronic and Paper.
Citations: 9 V.S.A. § 2445; 9 V.S.A. § 2447
More Details
Definitions:
- Personal Information (PI): PI means a consumer’s first name or first initial and last name in combination with one (1) or more of the following digital data elements, when the data elements are not encrypted, redacted, or protected by another method that renders them unreadable or unusable by unauthorized persons:
- Social Security number;
- A driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
- Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords;
- A password, personal identification number, or other access code for a financial account;
- Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- Genetic information; or
- Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.
PI does not mean publicly available information that is lawfully made available to the general public from federal, State, or local government record.
- Data Broker: means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
Methods of Compliance: A data broker subject to this subsection shall adopt safeguards in the comprehensive security program that are consistent with the safeguards for protection of PI and information of a similar character set forth in other State rules or federal regulations applicable to the data broker. Shall at minimum have the following features:
- Designation of one (1) or more employees to maintain the program;
- Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing PI, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including:
- Ongoing employee training, including training for temporary and contract employees;
- Employee compliance with policies and procedures; and
- Means for detecting and preventing security system failures;
- Security policies for employees relating to the storage, access, and transportation of records containing PI outside business premises;
- Disciplinary measures for violations of the comprehensive information security program rules;
- Measures that prevent terminated employees from accessing records containing PI;
- Supervision of service providers, by:
- Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect PI consistent with applicable law; and
- Requiring third-party service providers by contract to implement and maintain appropriate security measures for PI;
Reasonable restrictions upon physical access to records containing PI and storage of the records and data in locked facilities, storage areas, or containers;
- Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI upgrading information safeguards as necessary to limit risks;
- Regular review of the scope of the security measures: at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing PI; and
- Documentation of responsive actions taken in connection with any incident involving a breach of security; and
- Mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of PI.
A comprehensive information security program required by this section shall at minimum, and to the extent technically feasible, have the following elements:
- Secure user authentication protocols, as follows:
- An authentication protocol that has the following features:
- Control of user IDs and other identifiers;
- A reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, such as biometrics or token devices;
- Control of data security passwords to ensure that such passwords are kept in a location and format that do not compromise the security of the data they protect;
- Restricting access to only active users and active user accounts; and
- Blocking access to user identification after multiple unsuccessful attempts to gain access; or
- An authentication protocol that provides a higher level of security than the features specified in subdivision (A) of this subdivision (c)(1);
- An authentication protocol that has the following features:
- Secure access control measures that:
- Restrict access to records and files containing PI to those who need such information to perform their job duties; and
- Assign to each person with computer access unique identifications plus passwords, which are not vendor-supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls or a protocol that provides a higher degree of security;
- Encryption of all transmitted records and files containing PI that will travel across public networks and encryption of all data containing PI to be transmitted wirelessly or a protocol that provides a higher degree of security;
- Reasonable monitoring of systems for unauthorized use of or access to PI;
- Encryption of all PI stored on laptops or other portable devices or a protocol that provides a higher degree of security;
- For files containing personally identifiable information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personally identifiable information or a protocol that provides a higher degree of security;
- Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive the most current security updates on a regular basis or a protocol that provides a higher degree of security; and
- Education and training of employees on the proper use of the computer security system and the importance of personally identifiable information security.
Exclusions:
- Health Care: These requirements do not apply to any health insurer or health care facility that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996.
- Financial: These requirements do not apply to any bank, credit union, or financial institution that is subject to the privacy and security provisions of the Gramm Leach Bliley Act.
- Other: These requirements do not apply to any consumer reporting agency that is subject to and in compliance with the Federal Credit Reporting Act.
Enforcement/Penalties:
A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of Section 2453 of this title.
With respect to all businesses, the Attorney General and State’s Attorney shall have sole and full authority to investigate potential violations of this section, and to prosecute, obtain, and impose remedies for a violation of this section. The Superior Courts shall have jurisdiction over any enforcement matter brought by the Attorney General or a State’s Attorney under this subsection.
With respect to a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title to do business in this State, the Department of Financial Regulation shall have full authority to investigate potential violations of this chapter, and to prosecute, obtain, and impose remedies for a violation of this chapter, or any rules or regulations made pursuant to this chapter, as the Department has under Title 8 and this title, or any other applicable law or regulation.
Associated Regulations:
N/A