Print
The Vermont Statutes Online
Title
09
:
Commerce and Trade
Chapter
062
:
PROTECTION OF PERSONAL INFORMATION
Subchapter
002
:
SECURITY BREACH NOTICE ACT
§
2435. Notice of security breaches
(a) This section
shall be known as the Security Breach Notice Act.
(b) Notice of
breach.
(1) Except as
set forth in subsection (d) of this section, any data collector that owns or
licenses computerized personally identifiable information that includes
personal information concerning a consumer shall notify the consumer that there
has been a security breach following discovery or notification to the data
collector of the breach. Notice of the security breach shall be made in the
most expedient time possible and without unreasonable delay, but not later than
45 days after the discovery or notification, consistent with the legitimate
needs of the law enforcement agency, as provided in subdivisions (3) and (4) of
this subsection (b)(3), or with any measures necessary to determine the scope
of the security breach and restore the reasonable integrity, security, and
confidentiality of the data system.
(2) Any data
collector that maintains or possesses computerized data containing personally
identifiable information of a consumer that the data collector does not own or
license or any data collector that acts or conducts business in Vermont that
maintains or possesses records or data containing personally identifiable
information that the data collector does not own or license shall notify the
owner or licensee of the information of any security breach immediately
following discovery of the breach, consistent with the legitimate needs of law
enforcement as provided in subdivisions (3) and (4) of this subsection (b)(3).
(3) A data
collector or other entity subject to this subchapter shall provide notice of a
breach to the Attorney General or to the Department of Financial Regulation, as
applicable, as follows:
(A) A data
collector or other entity regulated by the Department of Financial Regulation
under Title 8 or this title shall provide notice of a breach to the Department.
All other data collectors or other entities subject to this subchapter shall
provide notice of a breach to the Attorney General.
(B)(i) The data
collector shall notify the Attorney General or the Department, as applicable,
of the date of the security breach and the date of discovery of the breach and
shall provide a preliminary description of the breach within 14 business days,
consistent with the legitimate needs of the law enforcement agency as provided
in this subdivision (3) and subdivision (4) of this subsection (b), of the data
collector's discovery of the security breach or when the data collector provides
notice to consumers pursuant to this section, whichever is sooner.
(ii)
Notwithstanding subdivision (B)(i) of this subdivision (b)(3), a data collector
who, prior to the date of the breach, on a form and in a manner prescribed by
the Attorney General, had sworn in writing to the Attorney General that it
maintains written policies and procedures to maintain the security of
personally identifiable information and respond to a breach in a manner
consistent with Vermont law shall notify the Attorney General of the date of
the security breach and the date of discovery of the breach and shall provide a
description of the breach prior to providing notice of the breach to consumers
pursuant to subdivision (1) of this subsection (b).
(iii) If the
date of the breach is unknown at the time notice is sent to the Attorney
General or to the Department, the data collector shall send the Attorney
General or the Department the date of the breach as soon as it is known.
(iv) Unless
otherwise ordered by a court of this State for good cause shown, a notice
provided under this subdivision (3)(B) shall not be disclosed to any person
other than the Department, the authorized agent or representative of the
Attorney General, a State's Attorney, or another law enforcement officer engaged
in legitimate law enforcement activities without the consent of the data
collector.
(C)(i) When the
data collector provides notice of the breach pursuant to subdivision (1) of
this subsection (b), the data collector shall notify the Attorney General or
the Department, as applicable, of the number of Vermont consumers affected, if
known to the data collector, and shall provide a copy of the notice provided to
consumers under subdivision (1) of this subsection (b).
(ii) The data
collector may send to the Attorney General or the Department, as applicable, a
second copy of the consumer notice, from which is redacted the type of
personally identifiable information that was subject to the breach, and which
the Attorney General or the Department shall use for any public disclosure of
the breach.
(4)(A) The
notice to a consumer required by this subsection shall be delayed upon request
of a law enforcement agency. A law enforcement agency may request the delay if
it believes that notification may impede a law enforcement investigation, or a
national or Homeland Security investigation or jeopardize public safety or
national or Homeland Security interests. In the event law enforcement makes the
request for a delay in a manner other than in writing, the data collector shall
document such request contemporaneously in writing, including the name of the
law enforcement officer making the request and the officer's law enforcement
agency engaged in the investigation. A law enforcement agency shall promptly
notify the data collector in writing when the law enforcement agency no longer
believes that notification may impede a law enforcement investigation, or a
national or Homeland Security investigation or jeopardize public safety or
national or Homeland Security interests. The data collector shall provide
notice required by this section without unreasonable delay upon receipt of a
written communication, which includes facsimile or electronic communication,
from the law enforcement agency withdrawing its request for delay.
(B) A Vermont
law enforcement agency with a reasonable belief that a security breach has or
may have occurred at a specific business shall notify the business in writing
of its belief. The agency shall also notify the business that additional
information on the security breach may need to be furnished to the Office of
the Attorney General or the Department of Financial Regulation and shall
include the website and telephone number for the Office and the Department in
the notice required by this subdivision. Nothing in this subdivision shall
alter the responsibilities of a data collector under this section or provide a
cause of action against a law enforcement agency that fails, without bad faith,
to provide the notice required by this subdivision.
(5) The notice
to a consumer shall be clear and conspicuous. The notice shall include a
description of each of the following, if known to the data collector:
(A) the incident
in general terms;
(B) the type of
personally identifiable information that was subject to the security breach;
(C) the general
acts of the data collector to protect the personally identifiable information
from further security breach;
(D) a telephone
number, toll-free if available, that the consumer may call for further
information and assistance;
(E) advice that
directs the consumer to remain vigilant by reviewing account statements and
monitoring free credit reports; and
(F) the
approximate date of the security breach;
(6) A data
collector may provide notice of a security breach to a consumer by one or more
of the following methods:
(A) Direct
notice, which may be by one of the following methods:
(i) written
notice mailed to the consumer's residence;
(ii) electronic
notice, for those consumers for whom the data collector has a valid e-mail
address if:
(I) the data
collector's primary method of communication with the consumer is by electronic
means, the electronic notice does not request or contain a hypertext link to a
request that the consumer provide personal information, and the electronic
notice conspicuously warns consumers not to provide personal information in
response to electronic communications regarding security breaches; or
(II) the notice
is consistent with the provisions regarding electronic records and signatures
for notices in 15 U.S.C. § 7001; or
(iii) telephonic
notice, provided that telephonic contact is made directly with each affected
consumer and not through a prerecorded message.
(B)(i)
Substitute notice, if:
(I) the data
collector demonstrates that the cost of providing written or telephonic notice
to affected consumers would exceed $5,000.00;
(II) the class
of affected consumers to be provided written or telephonic notice exceeds
5,000; or
(III) the data
collector does not have sufficient contact information.
(ii) A data
collector shall provide substitute notice by:
(I)
conspicuously posting the notice on the data collector's website if the data
collector maintains one; and
(II) notifying
major statewide and regional media.
(c) In the event
a data collector provides notice to more than 1,000 consumers at one time
pursuant to this section, the data collector shall notify, without unreasonable
delay, all consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the
timing, distribution, and content of the notice. This subsection shall not
apply to a person who is licensed or registered under Title 8 by the Department
of Financial Regulation.
(d)(1) Notice of
a security breach pursuant to subsection (b) of this section is not required if
the data collector establishes that misuse of personal information is not
reasonably possible and the data collector provides notice of the determination
that the misuse of the personal information is not reasonably possible pursuant
to the requirements of this subsection (d). If the data collector establishes
that misuse of the personal information is not reasonably possible, the data
collector shall provide notice of its determination that misuse of the personal
information is not reasonably possible and a detailed explanation for said
determination to the Vermont Attorney General or to the Department of Financial
Regulation in the event that the data collector is a person or entity licensed
or registered with the Department under Title 8 or this title. The data
collector may designate its notice and detailed explanation to the Vermont
Attorney General or the Department of Financial Regulation as "trade
secret" if the notice and detailed explanation meet the definition of trade
secret contained in 1 V.S.A. § 317(c)(9).
(2) If a data
collector established that misuse of personal information was not reasonably
possible under subdivision (1) of this subsection (d), and subsequently obtains
facts indicating that misuse of the personal information has occurred or is
occurring, the data collector shall provide notice of the security breach
pursuant to subsection (b) of this section.
(e) Any waiver
of the provisions of this subchapter is contrary to public policy and is void
and unenforceable.
(f) Except as
provided in subdivision (3) of this subsection (f), a financial institution
that is subject to the following guidances, and any revisions, additions, or
substitutions relating to an interagency guidance shall be exempt from this
section:
(1) The Federal
Interagency Guidance Response Programs for Unauthorized Access to Consumer
Information and Customer Notice, issued on March 7, 2005, by the Board of
Governors of the Federal Reserve System, the Federal Deposit Insurance
Corporation, the Office of the Comptroller of the Currency, and the Office of
Thrift Supervision.
(2) Final
Guidance on Response Programs for Unauthorized Access to Member Information and
Member Notice, issued on April 14, 2005, by the National Credit Union
Administration.
(3) A financial
institution regulated by the Department of Financial Regulation that is subject
to subdivision (1) or (2) of this subsection (f) shall notify the Department as
soon as possible after it becomes aware of an incident involving unauthorized
access to or use of personally identifiable information.
(g) Enforcement.
(1) With respect
to all data collectors and other entities subject to this subchapter, other
than a person or entity licensed or registered with the Department of Financial
Regulation under Title 8 or this title, the Attorney General and State's
Attorney shall have sole and full authority to investigate potential violations
of this subchapter and to enforce, prosecute, obtain, and impose remedies for a
violation of this subchapter or any rules or regulations made pursuant to this
chapter as the Attorney General and State's Attorney have under chapter 63 of
this title. The Attorney General may refer the matter to the State's Attorney
in an appropriate case. The Superior Courts shall have jurisdiction over any
enforcement matter brought by the Attorney General or a State's Attorney under
this subsection.
(2) With respect
to a data collector that is a person or entity licensed or registered with the
Department of Financial Regulation under Title 8 or this title, the Department
of Financial Regulation shall have the full authority to investigate potential
violations of this subchapter and to prosecute, obtain, and impose remedies for
a violation of this subchapter or any rules or regulations adopted pursuant to
this subchapter, as the Department has under Title 8 or this title or any other
applicable law or regulation.
(h) Repealed.] (Added 2005, No. 162 (Adj. Sess.), § 1, eff.
Jan. 1, 2007; amended 2011, No. 78 (Adj. Sess.), § 2, eff. April 2, 2012; 2011,
No. 109 (Adj. Sess.), § 4, eff. May 8, 2012; 2013, No. 29, §§ 10, 11, eff. May
13, 2013; 2013, No. 199 (Adj. Sess.), § 67; 2015, No. 55, § 8.)