On May 8th, Vermont became the most recent state to amend its security breach notification law (9 V.S.A. §§ 2430 and 2435).  The primary changes to Vermont’s security breach notification law are as follows:

 

  • The amendment adds factors to consider when determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by an unauthorized person, including indications that the information: (i) is in the physical possession and control of a person without valid authorization, (ii) has been downloaded or copied, (iii) was used by an unauthorized person, or (iv) has been made public.  (§ 2430(8)(C))
  • The law’s notification requirements were previously triggered by either unauthorized acquisition or access of personally identifiable information.  As amended, the requirements are only triggered by unauthorized “acquisition.”  At first blush, one might think this means that if data were merely accessed remotely from a Web site but not actually taken possession of, the law’s requirements are not triggered.  However, as discussed above, the amendment also adds four factors to be considered in determining whether there has been an unauthorized acquisition. One of those factors is whether the information has “been made public.”  Accordingly, this factor should be taken into consideration when interpreting the word “acquisition” in the amended law. (§ 2430(8)(A))
  • Prior to the amendment, companies were required to notify consumers affected by a security breach in the most expedient time possible and without unreasonable delay.  This is still required, but the amendment adds that consumers must be notified, in any event, no later than 45 days after discovery or notification of the breach. (§ 2435(b)(1))
  • Companies are required to notify the Attorney General of Vermont within 14 business days of the company’s discovery of the breach or when the company provides notice to consumers, whichever is earlier.  The notice to the Attorney General must include the date of the breach and of its discovery, and a preliminary description of the breach. There were no such obligations previously.  The information provided to the Attorney General pursuant to this requirement will not be made public.  As an exception to this preliminary notification requirement, companies that have certified in advance to the Attorney General that they maintain written policies and procedures to maintain the security of personally identifiable information and respond to a breach in a manner consistent with Vermont law are exempt from this preliminary notification requirement; instead, they must provide this notification to the Attorney General at any time prior to notifying consumers.  (§ 2435(b)(3)(A)(i))
  • When notifying Vermont consumers affected by a security breach, companies must provide an additional notice to the Attorney General of Vermont which includes the number of Vermont consumers affected (if known) and a copy of the notice provided to affected consumers.  The information provided to the Attorney General pursuant to this requirement will be made public, and, as such, we recommend that the company also provide a second copy of the letter with the types of personally identifiable information involved redacted. This second copy will be used by the Attorney General’s office for public disclosure purposes.  (§ 2435(b)(3)(B)(i) and (ii))
  • The notice letter that must be sent to affected consumers must now include the approximate date of the incident, in addition to the other information that was required by the law before it was amended.  (§ 2430(b)(5)(F))   
  • Finally, as a result of the amendment, a toll-free number is no longer required to be included in the notice letter to consumers unless one is available. (§ 2430(b)(5)(D))