Security Breach Legislation in the State of Vermont

Vt. Stat. tit. 9 §§ 2430, 2435 is a data breach notification law that was passed in the U.S. state of Vermont in 2006 and was amended again in 2012. Vt. Stat. tit. 9 §§ 2430, 2435, in conjunction with The Vermont Act 171 of 2018 Data Broker Regulation, as well as the recently passed Senate Bill 110, represent the legal framework for the protection of the personal information and privacy of citizens residing within the state of Vermont. As it pertains to Vt. Stat. tit. 9 §§ 2430, 2435, the provisions of the law outline the procedures that business entities within the state are responsible for adhering to in the event that a security breach occurs. Furthermore, the law also sets forth the punishments that can be imposed against business entities within vermin that fail to comply with said procedures.

How is the term security breach defined under Vt. Stat. tit. 9 §§ 2430, 2435?

Under Vt. Stat. tit. 9 §§ 2430, 2435, a security breach is defined as the “unauthorized acquisition of electronic data or a reasonable belief of such unauthorized acquisition that compromises the security, confidentiality, or integrity of PI or login credentials maintained by an Entity.” On the other end of the spectrum, a security breach under Vt. Stat. tit. 9 §§ 2430, 2435, “does not include good-faith but unauthorized acquisition or access of PI or login credentials by an employee or agent of the Entity for a legitimate purpose of the Entity, provided that the PI or login credentials are not used for a purpose unrelated to the Entity’s business or subject to further unauthorized disclosure.”

What are the security breach notification requirements under Vt. Stat. tit. 9 §§ 2430, 2435?

Under Vt. Stat. tit. 9 §§ 2430, 2435, business entities that experience a security breach are required to provide conspicuous notice to all affected parties within 45 days of the discovery of the breach, as well as provide said parties with the following information:

• A description of the security breach, in general terms.
• The date on which the breach occurred.
• The types of personal information that were compromised as a result of the breach.
• The procedures that the affected entity had in place to prevent security breaches.
• A toll-free number that affected parties can contact for further information and assistance concerning the breach, if available.
• Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

What categories of personal information are protected under Vt. Stat. tit. 9 §§ 2430, 2435?

Under Vt. Stat. tit. 9 §§ 2430, 2435, the following categories of personal information a legally protected should a data breach occur, in combination with an individual’s first name or first initial and last name, in instances where these data elements have not been redacted, encrypted, or otherwise render inaccessible through any other technological means:
Social security numbers.

• Driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification numbers that originate from a government identification document that is commonly used to verify identity for a commercial transaction.
• Financial account numbers, credit, and debit card numbers, as well as associated information such as passcodes that could be used to grant access to an individual’s financial account.
• Genetic information.
• Biometric identifiers, which can include fingerprints and iris or retina images, among others.
• Health records or records of a wellness program or similar program of health promotion or disease prevention, a health care professional’s medical diagnosis or treatment of the consumer, or a health insurance policy number.

What are the penalties for violating Vt. Stat. tit. 9 §§ 2430, 2435?

In terms of the enforcement of Vt. Stat. tit. 9 §§ 2430, 2435, the Vermont attorney general has the authority to impose sanctions and penalties against business entities operating within the state that are found to have violated the provisions of the law. These punishments include:

• Injunctive relief.
• A civil subpoena.
• Monetary penalties of up to $10,000 for each violation.

Through the enactment of Vt. Stat. tit. 9 §§ 2430, 2435, residents within the state of Vermont can seek relief should they have their personal information compromised following a security breach. As Vt. Stat. tit. 9 §§ 2430, 2435 is one of many data privacy laws that have been passed in Vermont in the past decade, other states around the country will likely look consider taking a similar approach, as the U.S. federal government continues to deliberate on whether passing such legislation at the federal level is appropriate. Nevertheless, Vt. Stat. tit. 9 §§ 2430, 2435 ensures that Vermont residents can protect their personal information from invasions of privacy.