Vermont Data Privacy and Customer Protection Overview and Breach Notification Requirements

Mar 6, 2020

Reading Time : 3 min

By: Natasha G. Kohne, Rebecca Kocsis (Legal Project Analyst)

Significant Updates to Definitions

Most notably, the amendments significantly expand the definition of PII, following a growing trend among states to extend the reach of their data breach notification laws. The following data elements have been incorporated into the list of data elements that may trigger a data collector’s obligation to notify Vermont consumers of a data breach:

  • Individual taxpayer identification number, passport number, military identification card number or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image or other unique physical representation or digital representation of biometric data
  • Genetic information.
  • Heath records or records of a wellness program or similar program of health promotion or disease prevention, including a health care professional’s medical diagnosis or treatment of the consumer or a health insurance policy number.1

The Act now also contains a definition of “login credentials,” defining them as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question that together permit access to an online account.”2 Further, the amendments add the term “login credentials” to the definitions of other key terms, including the definition of “security breach.”3

Differing Notice Requirements

Fortunately for data collectors keeping up with the ever-changing landscape of data protection laws, the amendments to Vermont’s Act do not alter the general notice requirements and thresholds for notice under the law. For instance, the amendments do not change the requirement that data collectors notify consumers “in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery or notification” of the breach.4 Likewise, the amendments do not change the types of information that data collectors must include in their notices.

However, the amendments do impose new notification requirements pertaining to breaches where only login credentials were involved. Unlike the requirements for notices related to PII, the amended Act now mandates that for breaches involving an unauthorized acquisition of login credentials for an online account other than an email account, the notice must “advise the consumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.”5 If the breach compromises an email account, the amendments additionally provide that the data collector may not provide notice of the breach to that email account, and instead must use one of the other methods prescribed by Section 2435(b)(6) of the Act or by clear and conspicuous notice provided through the consumer’s online account.

In addition, although the Act requires data controllers to notify the Attorney General or Department of Financial Regulation (DFR) in addition to consumers whose PII was affected, the Act now specifies that where a breach involves only a compromise to login credentials, the data collector only need notify the appropriate regulator if the login credentials were acquired directly from the data collector or its agent. Where notice to the AG or DFR is required, however, the Act still mandates that the data collector provide them preliminary notice within 14 days of discovery of the breach or providing notice to consumers, whichever is sooner.

Substitute Notice

Of final note, the amendments have changed the threshold for permitting substitute notice as opposed to direct notice of a breach to consumers. Whereas the prior version of the Act permitted data controllers to use substitute notice if the cost of providing notice exceeded $5,000, the amendments have raised that threshold to $10,000.6 Furthermore, although the amendments have removed the ability for data collectors to provide substitute notice if more than 5,000 consumers require written or telephone notice, substitute notice remains available where the data collector does not have sufficient contact information for a consumer.7

****

The expanded Vermont Security Breach Notice Act joins a growing body of state laws mandating context-specific notice and reporting obligations in the wake of data breaches. If you have any questions about your company’s obligations and compliance efforts, please contact a member of the Akin Gump Cybersecurity, Privacy and Data Protection team.


1 See 9 V.S.A. § 2430(10) (definition of “personally identifiable information”). The Assistant AG notes in his April 27th letter that the health-related information is “intentionally broad” and based on the comprehensive data breach notification statutes of Oregon and Delaware.

2 Id. § 2430(9).

3 Id. § 2340(13).

4 9 V.S.A. § 2435(b)(2).

5 Id. § 2435(d)(3).

6 Id. § 2435(b)(6)(B)(i).

7 Id. § 2435(b)(6)(B)(ii).

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.