On June 1, 2012, the Attorney General of Vermont announced a series of recent legislative moves to enhance the state’s consumer protection laws, including amendments to Vermont’s security breach notification law. The changes, which were signed into law by Governor Peter Shumlin in early May, include a revised definition of “security breach,” the addition of a 45-day timing requirement for notifying affected consumers, and a requirement to notify the state Attorney General within 14 days of discovering the breach (or when notifying consumers, if sooner).

Below is a summary of the key changes to Vermont’s security breach notification law:

  • Instead of applying to “personal information,” the amended law uses the term “personally identifiable information,” but the definition of the relevant data remains the same.
  • The amendments both narrow and broaden the scope of the definition of “security breach.” The breach notification law no longer applies to the unauthorized “access” of data, but notification is required if there is a “reasonable belief” that there has been unauthorized acquisition of a consumer’s personally identifiable information.
  • The law sets forth several factors (tracking similar language that appears in the New York state breach notification law) that may be considered when determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by an unauthorized party, including:
    • indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;
    • indications that the information has been downloaded or copied;
    • indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
    • if the information has been made public.
  • Data collectors must notify affected consumers of a security breach no later than 45 days after they discover (or are notified of) the breach, consistent with the needs of law enforcement and with measures necessary to determine the scope of the breach and to restore the reasonable integrity, security and confidentiality of the data system. Vermont joins Florida, Ohio and Wisconsin as the fourth state to impose a 45-day notification timing requirement.
  • Data collectors must notify the state Attorney General’s Office within 14 business days of discovering the breach or when notifying consumers, whichever is sooner. This notification to the Attorney General must include:
    • the date of the security breach (if known at the time, or as soon as it is known);
    • the date of discovery of the breach; and
    • a “preliminary” description of the breach.

When the data collector notifies affected consumers, it must provide the Attorney General with:

    • the number of Vermont consumers affected, if known; and
    • a copy of the notice to consumers.

The data collector also may choose to send the Attorney General a second copy of the consumer notification letter that redacts the types of compromised personal data elements, which the Attorney General may use for a public disclosure regarding the breach.

View the full text of the bill (note: revisions to the breach notification law begin on page 9 of the PDF).

Read our previous post about recent breach guidance issued by California and Illinois and the new breach reporting forms released by UK and California regulators.