This post was also written by Frederick Lah.
Vermont has recently updated its data breach notification law, Vt. Stat. Tit. 9, Ch. 62, sections 2430 and 2435, to make it one of the stronger data breach notification laws in the country. The new law became effective May 8, 2012. There are three main changes in the law:
First, the definition of security breach has been amended. Previously, “security breach” meant the unauthorized acquisition or access of data. The new definition no longer covers unauthorized access and only defines the term as “unauthorized acquisition … or a reasonable belief of unauthorized acquisition.” To help clarify this new standard, the law lists the following factors that companies should consider when determining whether data has been acquired or reasonably believed to have been acquired:
- Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information
- Indications that the information has been downloaded or copied
- Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported, or
- Indications that the information has been made public
The second major change of Vermont’s law is that it has added a 45-day firm deadline upon discovery of the breach for when consumer notifications must be sent. The vast majority of states speak in general terms and only require that notification be made to consumers “without unreasonable delay” or “in the most expedient time possible.” Vermont now joins a handful of other states (Florida, Ohio, and Wisconsin) with a specific firm deadline. All of these states have the same 45-day deadline.
Lastly, the amended law adds a requirement that the state attorney general must be notified of a data breach. The company must notify the attorney general of the date of the breach, date of the discovery of the breach, and a preliminary description of the breach, which shall include the number of Vermont consumers affected, if known. By default, this notification must be done within 14 business days upon discovery of the breach. Puerto Rico is the only other jurisdiction with a firm deadline (10 days) for when government notification must be sent. Interestingly, though, the new law provides companies with an alternative to this 14-business-day requirement. If, prior to the breach, the company has sworn in writing to the attorney general that it maintains written policies and procedures to maintain the security of the consumer information and respond to a breach in a manner consistent with Vermont law, then the 14-business-day requirement would not apply. Instead, the company would just need to notify the attorney general prior to sending the consumer notifications (which have a firm deadline of 45 days). The law provides that the company must make this sworn statement “on a form and in a manner prescribed by the office of the attorney general”; however, no guidance has been released yet on what this form would look like.
This recent update to the Vermont data breach notification law provides yet another wrinkle in the complicated landscape of state data breach notification laws.