Vermont Amends Security Breach Notification Law

Author:Mr Kevin Khurana
Profession:Proskauer Rose LLP

On May 8th, Vermont became the most recent state to amend its security breach notification law (9 V.S.A. §§ 2430 and 2435).      

The primary changes to Vermont's security breach notification law are as follows:

The law's notification requirements are no longer triggered by mere "access" to personally identifiable information.  Actual "acquisition" of the information (or a reasonable belief thereof) is required in order for there to have been a security breach under the amended law.  (§ 2430(8)(A)) The amendment adds factors to consider when determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by an unauthorized person, including indications that the information: (i) is in the physical possession and control of a person without valid authorization, (ii) has been downloaded or copied, (iii) was used by an unauthorized person, or (iv) has been made public.  (§ 2430(8)(C)) Companies are required to notify consumers affected by a security breach within 45 days of discovery or notification of the breach, whereas prior to the amendment, they merely had to do so "in the most expedient time possible and without unreasonable delay..." (§ 2435(b)(1)) Companies are required to notify the Attorney General of Vermont within 14 business days of the company's discovery of the breach or when the company provides notice to consumers,...

To continue reading