§2430. Definitions

Link to law: http://legislature.vermont.gov/statutes/section/09/062/02430
Published: 2015

Print

The Vermont Statutes Online



Title

09

:
Commerce and Trade






Chapter

062

:
PROTECTION OF PERSONAL INFORMATION






Subchapter

001
:
GENERAL PROVISIONS










 

§

2430. Definitions

The following

definitions shall apply throughout this chapter unless otherwise required:

(1)

"Business" means a sole proprietorship, partnership, corporation,

association, limited liability company, or other group, however organized and

whether or not organized to operate at a profit, including a financial

institution organized, chartered, or holding a license or authorization

certificate under the laws of this State, any other state, the United States,

or any other country, or the parent, affiliate, or subsidiary of a financial

institution, but in no case shall it include the State, a State agency, or any

political subdivision of the State.

(2)

"Consumer" means an individual residing in this State.

(3) "Data

collector" may include the State, State agencies, political subdivisions

of the State, public and private universities, privately and publicly held

corporations, limited liability companies, financial institutions, retail

operators, and any other entity that, for any purpose, whether by automated

collection or otherwise, handles, collects, disseminates, or otherwise deals

with nonpublic personal information.

(4)

"Encryption" means use of an algorithmic process to transform data

into a form in which the data is rendered unreadable or unusable without use of

a confidential process or key.

(5)(A)

"Personally identifiable information" means an individual's first

name or first initial and last name in combination with any one or more of the

following data elements, when either the name or the data elements are not

encrypted or redacted or protected by another method that renders them

unreadable or unusable by unauthorized persons:

(i) Social

Security number;

(ii) motor

vehicle operator's license number or nondriver identification card number;

(iii) financial

account number or credit or debit card number, if circumstances exist in which

the number could be used without additional identifying information, access

codes, or passwords;

(iv) account

passwords or personal identification numbers or other access codes for a

financial account.

(B)

"Personally identifiable information" does not mean publicly

available information that is lawfully made available to the general public

from federal, State, or local government records.

(6)

"Records" means any material on which written, drawn, spoken, visual,

or electromagnetic information is recorded or preserved, regardless of physical

form or characteristics.

(7)

"Redaction" means the rendering of data so that it is unreadable or

is truncated so that no more than the last four digits of the identification

number are accessible as part of the data.

(8)(A)

"Security breach" means unauthorized acquisition of electronic data

or a reasonable belief of an unauthorized acquisition of electronic data that

compromises the security, confidentiality, or integrity of a consumer's

personally identifiable information maintained by the data collector.

(B)

"Security breach" does not include good faith but unauthorized

acquisition of personally identifiable information by an employee or agent of

the data collector for a legitimate purpose of the data collector, provided

that the personally identifiable information is not used for a purpose

unrelated to the data collector's business or subject to further unauthorized

disclosure.

(C) In

determining whether personally identifiable information has been acquired or is

reasonably believed to have been acquired by a person without valid

authorization, a data collector may consider the following factors, among

others:

(i) indications

that the information is in the physical possession and control of a person

without valid authorization, such as a lost or stolen computer or other device

containing information;

(ii) indications

that the information has been downloaded or copied;

(iii) indications

that the information was used by an unauthorized person, such as fraudulent

accounts opened or instances of identity theft reported; or

(iv) that the

information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff.

Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012.)
Read Entire Law on legislature.vermont.gov