Skip to main content

Vermont Updates Data Breach Notification Law

Written by Amy Malone

Effective as of May 8, 2012, Vermont’s updated data breach law (Act 109) brings along several changes.  The biggest change is in the notification requirements.  Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach (if known).  To further complicate matters, notification to the Vermont Attorney General must occur within 14 business days of either the discovery of the breach or notice to the consumers, whichever is sooner and must include the date of the security breach, date of discovery of the breach and a preliminary description of the breach.

Act 109 also adopts the industry standard label of PII (formerly “personal information”) and changes the definition of security breach.  Previously, the security breach definition included acquisition or “access.”  The legislature has dropped the reference to access and now defines a breach as an “unauthorized acquisition…or a reasonable belief of an unauthorized acquisition”.  The legislation also gives a list of factors that may help determine whether the PII has been or is reasonably believed to be acquired.

If you have questions about compliance with the new Vermont data breach notification law -- or any other state data breach notification law --  contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.