Vermont’s Security Breach Notice Act is noteworthy because it has the United States’ shortest deadline for providing preliminary notice of a “security breach” to the state’s attorney general. The deadline is 14 days from discovery of a security breach. Security incident response teams commonly consider the Vermont law early in the response process to determine whether an organization will be required to provide breach notifications to affected Vermont residents and the state attorney general. On July 1, 2020, the Vermont law will be expanded to cover more types of incidents, which may cause organizations to pay even more attention to the Vermont notice deadline. The amendments also provide instructions on how organizations should provide notice in the event that online account credentials are breached.
Breach notice is required in more circumstances
In addition to existing notice triggers, beginning July 1, notification may be required in Vermont when a security breach involves an individual’s first and last name in combination with:
- Government identification numbers, such as individual taxpayer number, passport number, and military identification card number
- Biometric identifiers, such as a fingerprint or retina image, when they are used to identify or authenticate the individual
- Genetic information
- Health and medical records, including a health insurance policy number
Organizations that experience a security breach of online account credentials may also have an obligation to provide breach notifications.
These changes bring Vermont in-line with other states that have recently amended their data breach notification laws.
The notification method for online account credential breaches differs based on the type of account that is compromised
Under the updated Vermont law, when online account credentials are the subject of a “security breach” and breach notification is required, an organization may notify affected Vermont residents electronically. The notice should advise the affected individual to take steps to protect the online account, including changing the compromised credentials for the account and for any other account where the individual uses the same credentials.
However, when compromised online account credentials affect email accounts maintained by the organization for the affected individuals, the organization should not provide notice of the security breach using those email accounts. Instead, the organization may provide clear and conspicuous notice through the online account when the user logs in to the account (as long as the user is likely to be the authorized user based on the IP address or the online location of the log-in) or using the other permitted methods (for example, the usual method – a written letter).
The updated Vermont law clarifies that an organization does not have notice obligations when online credentials it owns or licenses are the subject of a security breach experienced by another party. In other words, notice may be required for the organization that experienced the security breach, but it is not required for an organization that has breached data in its possession. Nonetheless, an organization obviously should still care about any breaches of credentials that affect its online accounts with customers (or employees or other data subjects). In addition to obvious security concerns, it is always possible that compromised account credentials may be used to access, in an unauthorized manner, other personally identifiable information that the organization maintains, leading to its own security breach.
State data breach notification laws frequently change, and organizations should closely monitor those updates so they can keep their incident response plans up-to-date. Vermont’s latest expansion of its breach notification law is especially notable given the short fuse to decide whether notification to the Vermont attorney general is required.
Organizations that plan in advance for data security incidents, have written incident response policies, and regularly test their response policies and procedures are better prepared to make difficult decisions and meet tight deadlines for breach notifications.