Significant Updates to Definitions
Most notably, the amendments significantly expand the definition of PII, following a growing trend among states to extend the reach of their data breach notification laws. The following data elements have been incorporated into the list of data elements that may trigger a data collector’s obligation to notify Vermont consumers of a data breach:
- Individual taxpayer identification number, passport number, military identification card number or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction.
- Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image or other unique physical representation or digital representation of biometric data
- Genetic information.
- Heath records or records of a wellness program or similar program of health promotion or disease prevention, including a health care professional’s medical diagnosis or treatment of the consumer or a health insurance policy number.1
The Act now also contains a definition of “login credentials,” defining them as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question that together permit access to an online account.”2 Further, the amendments add the term “login credentials” to the definitions of other key terms, including the definition of “security breach.”3
Differing Notice Requirements
Fortunately for data collectors keeping up with the ever-changing landscape of data protection laws, the amendments to Vermont’s Act do not alter the general notice requirements and thresholds for notice under the law. For instance, the amendments do not change the requirement that data collectors notify consumers “in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery or notification” of the breach.4 Likewise, the amendments do not change the types of information that data collectors must include in their notices.
However, the amendments do impose new notification requirements pertaining to breaches where only login credentials were involved. Unlike the requirements for notices related to PII, the amended Act now mandates that for breaches involving an unauthorized acquisition of login credentials for an online account other than an email account, the notice must “advise the consumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.”5 If the breach compromises an email account, the amendments additionally provide that the data collector may not provide notice of the breach to that email account, and instead must use one of the other methods prescribed by Section 2435(b)(6) of the Act or by clear and conspicuous notice provided through the consumer’s online account.
In addition, although the Act requires data controllers to notify the Attorney General or Department of Financial Regulation (DFR) in addition to consumers whose PII was affected, the Act now specifies that where a breach involves only a compromise to login credentials, the data collector only need notify the appropriate regulator if the login credentials were acquired directly from the data collector or its agent. Where notice to the AG or DFR is required, however, the Act still mandates that the data collector provide them preliminary notice within 14 days of discovery of the breach or providing notice to consumers, whichever is sooner.
Substitute Notice
Of final note, the amendments have changed the threshold for permitting substitute notice as opposed to direct notice of a breach to consumers. Whereas the prior version of the Act permitted data controllers to use substitute notice if the cost of providing notice exceeded $5,000, the amendments have raised that threshold to $10,000.6 Furthermore, although the amendments have removed the ability for data collectors to provide substitute notice if more than 5,000 consumers require written or telephone notice, substitute notice remains available where the data collector does not have sufficient contact information for a consumer.7
****
The expanded Vermont Security Breach Notice Act joins a growing body of state laws mandating context-specific notice and reporting obligations in the wake of data breaches. If you have any questions about your company’s obligations and compliance efforts, please contact a member of the Akin Gump Cybersecurity, Privacy and Data Protection team.
1 See 9 V.S.A. § 2430(10) (definition of “personally identifiable information”). The Assistant AG notes in his April 27th letter that the health-related information is “intentionally broad” and based on the comprehensive data breach notification statutes of Oregon and Delaware.
2 Id. § 2430(9).
3 Id. § 2340(13).
4 9 V.S.A. § 2435(b)(2).
5 Id. § 2435(d)(3).
6 Id. § 2435(b)(6)(B)(i).
7 Id. § 2435(b)(6)(B)(ii).