Click here to review text of state statute
[For specific rules applicable to data brokers – click here.]
Information Covered / Important Definitions
Personal information of Vermont residents (referred to as “personally identifiable information”).
Definition also includes:
- a financial account number or credit or debit card number if the number could be used without additional identifying information, access codes, or passwords;
- a password, personal identification number, or other access code for a financial account.
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- genetic information; and
- (I) health records or records of a wellness program or similar program of health promotion or disease prevention;(II) a health care professional’s medical diagnosis or treatment of the consumer; or(III) a health insurance policy number.
"Data Collector" may include the State, State agencies, political subdivisions of the State, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information.
“Security Breach” means unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality or integrity of a consumer’s personally identifiable information or login credentials maintained by a Data Collector.
“Encryption” means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
“Redaction” means the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number are accessible as part of the data.
“Login credentials” means a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.
Specific to Data Brokers (2018 Data Broker Regulation):
"Brokered personal information": one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties:
(iii) date of birth;
(iv) place of birth;
(v) mother's maiden name;
(vi) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
(vii) name or address of a member of the consumer's immediate family or household;
(viii) Social Security number or other government-issued identification number; or
(ix) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
"Data Broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. (note: the statute contains several exemptions)
"Data Broker Security Breach" means an unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker when the brokered personal information is not encrypted, redacted, or protected by another method that renders the information unreadable or unusable by an unauthorized person.
Covered Entities* / Third Party Recipients
Subject to statute:
Any Data Collector that owns or licenses computerized personally identifiable information or login credentials.
Third party recipients:
Any Data Collector that maintains or possesses computerized data containing personally identifiable information or login credentials that the Data Collector does not own or license or any Data Collector that acts or conducts business in Vermont that maintains or possesses records or data containing personally identifiable information or login credentials that the Data Collector does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.
Note: The statute imposes various obligations on Data Brokers, including, registration, breach record-keeping, and data security requirements. Further specific information is contained in the statute.
Notice Procedures & Timing / Other Obligations
Written, telephonic or electronic notice must be provided to victims of a security breach following a prompt investigation within the most expedient time possible and without unreasonable delay, but not later than forty-five (45) days after discovery of the breach or notification from a third party, unless a delay is requested by a law enforcement agency concerned that disclosure will impede a law enforcement investigation or a national or homeland security investigation or jeopardize public safety or national or homeland security interests (in which case notification is delayed until authorized by the law enforcement agency).
- Electronic notice only permitted under certain conditions.
- Substitute notice is available by means prescribed in the statute if costs to exceed $10,000, or covered entity has insufficient contact information.
- Notice not required if covered entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible and covered entity provides notice of such determination to the Attorney General or the Department of Financial Regulation, as applicable.
Security Breaches of Login Credentials:
- If a security breach is limited to an unauthorized acquisition of login credentials for an online account other than an e-mail account, consumer notice may be made electronically or through one or more of the methods specified in the statute and shall advise the consumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.
- If a security breach is limited to an unauthorized acquisition of login credentials for an email account:(A) the data collector shall not provide notice of the security breach through the email account; and (B) the data collector shall provide notice of the security breach through one or more of the methods specified in the statute or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an Internet protocol address or online location from which the data collector knows the consumer customarily accesses the account.
The notice to a consumer shall be clear and conspicuous. The notice shall include a description of each of the following, if known to the Data Collector:
(A) the incident in general terms;
(B) the type of personally identifiable information that was subject to the security breach;
(C) the general acts of the Data Collector to protect the personally identifiable information from further security breach;
(D) a telephone number, toll-free if available, that the consumer may call for further information and assistance;
(E) advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and
(F) the approximate date of the security breach.
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Note: VT also imposes data destruction requirements pursuant to Vermont’s Data Destruction Act, and regulates collection, use and release of Social Security Numbers pursuant to the Social Security Number Protection Act. The applicable statutes contain specific obligations.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted, redacted or protected by another method that renders the data unreadable or unusable.
"Security breach" does not include good faith but unauthorized acquisition of personally identifiable information or login credentials by an employee or agent of the Data Collector for a legitimate purpose of the Data Collector, provided that the personally identifiable information or login credentials are not used for a purpose unrelated to the Data collector's business or subject to further unauthorized disclosure. Financial institutions subject to certain federal interagency guidance regarding consumer information are exempt.
Covered entities subject to HIPAA shall be in compliance with security breach notification requirements of the statute with respect to health information is notice is provided to consumers pursuant to HIPAA.
Notification to Regulator / Waiver
Attorney General must be notified within fourteen (14) business days of discovery of security breach or notification to consumers, whichever is sooner.
Notice must contain a preliminary description of the breach, the date of the breach, the date of discovery, the number of Vermont consumers affected, and a copy of any notice already provided to consumers.
The Data Collector may send to the Attorney General or the Department, as applicable, a second copy of the consumer notice, from which is redacted the type of personally identifiable information or login credentials that was subject to the breach, and which the Attorney General or the Department shall use for any public disclosure of the breach.
For Vermont-regulated financial institution: Notice must be made to Vermont’s Department of Financial Regulation in the same manner as the Attorney General notice.
A Data Collector who, prior to the date of the breach, on a form and in a manner prescribed by the Attorney General, had sworn in writing to the Attorney General that it maintains written policies and procedures to maintain the security of personally identifiable information or login credentials and respond to a breach in a manner consistent with Vermont law shall notify the Attorney General of the date of the security breach and the date of discovery of the breach and shall provide a description of the breach prior to providing notice of the breach to consumers.
A determination of no likelihood of harm:
Requires notification and detailed explanation to Attorney General.
If facts arise later indicating misuse is reasonably possible, the covered entity must notify affected residents.
A waiver of the statute is void and unenforceable.
Note: Data Broker Security Breaches do not require Attorney General or Consumer notice unless personal information is involved. However, the statute includes specific record-keeping and reporting requirements.
Private Cause of Action / Enforcement
Private Cause of Action: Yes*
*a private cause of action may be available to consumers under VT’s Consumer Protection Act
Enforcement by Attorney General and State’s Attorney only.
Enforcement by Department of Financial Regulation for regulated financial institutions.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute