Print
The Vermont Statutes Online
Title
09
:
Commerce and Trade
Chapter
062
:
PROTECTION OF PERSONAL INFORMATION
Subchapter
001
:
GENERAL PROVISIONS
§
2430. Definitions
The following
definitions shall apply throughout this chapter unless otherwise required:
(1)
"Business" means a sole proprietorship, partnership, corporation,
association, limited liability company, or other group, however organized and
whether or not organized to operate at a profit, including a financial
institution organized, chartered, or holding a license or authorization
certificate under the laws of this State, any other state, the United States,
or any other country, or the parent, affiliate, or subsidiary of a financial
institution, but in no case shall it include the State, a State agency, or any
political subdivision of the State.
(2)
"Consumer" means an individual residing in this State.
(3) "Data
collector" may include the State, State agencies, political subdivisions
of the State, public and private universities, privately and publicly held
corporations, limited liability companies, financial institutions, retail
operators, and any other entity that, for any purpose, whether by automated
collection or otherwise, handles, collects, disseminates, or otherwise deals
with nonpublic personal information.
(4)
"Encryption" means use of an algorithmic process to transform data
into a form in which the data is rendered unreadable or unusable without use of
a confidential process or key.
(5)(A)
"Personally identifiable information" means an individual's first
name or first initial and last name in combination with any one or more of the
following data elements, when either the name or the data elements are not
encrypted or redacted or protected by another method that renders them
unreadable or unusable by unauthorized persons:
(i) Social
Security number;
(ii) motor
vehicle operator's license number or nondriver identification card number;
(iii) financial
account number or credit or debit card number, if circumstances exist in which
the number could be used without additional identifying information, access
codes, or passwords;
(iv) account
passwords or personal identification numbers or other access codes for a
financial account.
(B)
"Personally identifiable information" does not mean publicly
available information that is lawfully made available to the general public
from federal, State, or local government records.
(6)
"Records" means any material on which written, drawn, spoken, visual,
or electromagnetic information is recorded or preserved, regardless of physical
form or characteristics.
(7)
"Redaction" means the rendering of data so that it is unreadable or
is truncated so that no more than the last four digits of the identification
number are accessible as part of the data.
(8)(A)
"Security breach" means unauthorized acquisition of electronic data
or a reasonable belief of an unauthorized acquisition of electronic data that
compromises the security, confidentiality, or integrity of a consumer's
personally identifiable information maintained by the data collector.
(B)
"Security breach" does not include good faith but unauthorized
acquisition of personally identifiable information by an employee or agent of
the data collector for a legitimate purpose of the data collector, provided
that the personally identifiable information is not used for a purpose
unrelated to the data collector's business or subject to further unauthorized
disclosure.
(C) In
determining whether personally identifiable information has been acquired or is
reasonably believed to have been acquired by a person without valid
authorization, a data collector may consider the following factors, among
others:
(i) indications
that the information is in the physical possession and control of a person
without valid authorization, such as a lost or stolen computer or other device
containing information;
(ii) indications
that the information has been downloaded or copied;
(iii) indications
that the information was used by an unauthorized person, such as fraudulent
accounts opened or instances of identity theft reported; or
(iv) that the
information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff.
Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012.)