Vermont Amends Security Breach Notification Law

On May 8th, Vermont became the most recent state to amend its security breach notification law (9 V.S.A. §§ 2430 and 2435).

The primary changes to Vermont’s security breach notification law are as follows:

• The law’s notification requirements are no longer triggered by mere “access” to personally identifiable information. Actual “acquisition” of the information (or a reasonable belief thereof) is required in order for there to have been a security breach under the amended law. (§ 2430(8)(A))

• The amendment adds factors to consider when determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by an unauthorized person, including indications that the information: (i) is in the physical possession and control of a person without valid authorization, (ii) has been downloaded or copied, (iii) was used by an unauthorized person, or (iv) has been made public. (§ 2430(8)(C))

• Companies are required to notify consumers affected by a security breach within 45 days of discovery or notification of the breach, whereas prior to the amendment, they merely had to do so “in the most expedient time possible and without unreasonable delay...” (§ 2435(b)(1))

• Companies are required to notify the Attorney General of Vermont within 14 business days of the company’s discovery of the breach or when the company provides notice to consumers, whichever is earlier. The notice to the Attorney General must include the date of the breach and of its discovery, and a preliminary description of the breach. There were no such obligations previously. (§2435(b)(3)(A)(i))

• After notifying Vermont consumers affected by a security breach, companies must provide an additional notice to the Attorney General of Vermont which includes the number of Vermont consumers affected (if known) and a copy of the notice provided to affected consumers. It is recommended that the company also provide a second copy of the letter with the types of personally identifiable information involved redacted, which the Attorney General’s office can use for public disclosure purposes. (§2435(b)(3)(B)(i) and (ii))

• The notice letter that must be sent to affected consumers must now include the approximate date of the incident, in addition to the other information that was required by the law before it was amended. (§2430(b)(5)(F))

• Finally, as a result of the amendment, a toll-free number is no longer required to be included in the notice letter to consumers unless one is available. (§2430(b)(5)(D))