Vermont Updates Data Breach Notification Laws
Chris Merritt - June 13th, 2012
Updates to the Vermont Data Protection and Breach Notification laws came into effect in May 2012. As readers of my posts know (yo G!), although I seem to play one in this blog, IANAL. With that said, since these laws seem to cover any business in the US and beyond, you should take a quick look at Vermont’s data protection laws.
First, let’s look at the changes promulgated by Vermont’s updated data breach law (Act 109).
- They adopted the more standard phrase “Personally Identifiable Information” (PII) but did not change what constitutes PII, which to my eyes seems in line with most States’ definitions.
- They made more substantial changes in the definition of what constitutes a data breach, removing the “on access” criterion and leaving it at as “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of an individual’s PII.
- They go on to provide guidance on how to determine if a data breach occurred, including the following factors:
(i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information; (ii) indications that the information has been downloaded or copied; (iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or (iv) that the information has been made public.
- They changed the notification timeline by adding “but not later than 45 days after the discovery or notification” to the fairly standard “most expedient time possible and without unreasonable delay” used by most States.
- But the real sting in the tail comes in §2435(b)(3)(A) which states that, in the event of a data breach, the affected business needs to inform the AG within 14 days of discovering the breach of the following: date of the breach, date of discovery, and (preliminary) description of the breach. There’s some additional language about who gets what information when, so this warrants a thorough going-through with your counsel.
- Finally, they added a requirement that breach notifications sent to consumers should include the approximate date of the breach.
Beyond the recent changes, here are some things about the Vermont data protection law which you should probably know about.
- It covers all organizations (except for certain State agencies), regardless of location, which have PII on the State’s citizens.
- There is a “safe harbor” exemption for encryption.
- Substitute notification provisions are defined for certain cases.
- The penalties are up to $10,000 per violation.
- There is no right to private action, but individuals do have a right to seek an injunctive relief.
The State of Vermont has a number of resources on their website which might be useful to those of you impacted by this law:
- The Privacy and Data Security page, which includes information on the Vermont Cyber Security Project (see here for an upcoming event, the Scan Vermont project (free security scans for small businesses provided by Norwich University) and more.
- They also link to the FTC’s Bureau of Consumer Protection Data Security page which provides a lot of information for business.
- The VT data breach laws are available online under the Title 9 (Commerce and Trade), Chapter 62 (Protection of Personal Information), which includes:
- Title 9 Chapter 62 §2430 covers the Definitions, which as noted above are somewhat changed by Act 109.
- Title 9 Chapter 62 §2435 is the section on Notice of Security Breaches, which is where the bulk of the interesting bits are.
- Title 9 Chapter 62 §2440 covers Social Security Number Protection.
- Title 9 Chapter 62 §2445 covers the Safe Destruction of Documents Containing Personal Information.
- Finally, Title 9 Chapter 63 §2461 covers the Civil Penalty aspects of the data breach notification law.
So, there you have it. Another data breach law in the patchwork of state data breach laws impacting organizations in the US (and beyond). As of June 1, 2012, only Alabama, Kentucky, New Mexico and South Dakota have no laws related to security breach notification – but remember that you are subject to many states’ laws if a data breach has impacted customers in their jurisdiction, regardless of your location.
It’s obviously difficult to stay on top of them all – especially now that the issue of data protection seems to finally become important at the state level – but I personally don’t have much expectation in the near-term for a US federal law to put an end to this frustrating hodgepodge of state laws. So, in the meantime, you probably better ascertain what current data protection best practices are, regardless of the specifics in your state, and begin to implement them.
If you’re uncertain where to begin, understanding the California Data Protection laws and Massachusetts CRM 17.00 might be a good start – these are among the most comprehensive and stringent. Of course, one of the first things I would recommend is to implement an all-inclusive data encryption program – because almost all jurisdictions have some sort of safe harbor clause in their statute.