On May 8, 2012, the Vermont General Assembly approved changes to the state’s consumer protection law (Act 109, in effect on passage 5/8/12).  The changes include substantial revisions to Vermont’s data protection and notification law.  A summary of the changes are provided below. 

  • The term “personally identifiable information” (“PII”) has been adopted.
  •  “Security breach” is defined as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data.” 
  • In determining whether PII has been or reasonably believed to have been acquired, the following factors may be considered:
    • Physical possession of the information (such as a lost or stolen computer or device);
    • Indications that information has been downloaded or copied;
    • Indications that information has been used (opening of fraudulent accounts or instances of identity theft reported); and
    • Information has been made public.   

Notification of a security breach to a consumer: 

  • must be made no later than 45 days after discovery, and
  • the approximate date of the security breach must also be provided to consumers. 

For notice of a security breach to the attorney general, two notifications are required:

  • First, within 14 business days of the discovery of the incident, the attorney general must be provided the date of the security breach, date of discovery, and a preliminary description of the breach. 
    • For an entity that has sworn in writing to the attorney general that it maintains written policies and procedures to maintain the security of PII, the attorney general must be provided the date of the security breach, date of discovery, and a preliminary description of the breach prior to notifying consumers. 
  • Second, once notice is made to consumers, the attorney general must be notified of the number of Vermont consumers affected and provided a copy of the notice. 
    • A second copy of the consumer notification letter, with PII that was subject to the breach redacted, can also be provided to the attorney general which will be used for any public disclosure of the breach. 

The Vermont General Assembly’s Act 109 can be found here