Vermont
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
14 business days
FINES & PENALTIES – Violations
Up to $10,000
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Vermont Privacy Law Information
Organizations and Vendors in the business of destroying records must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Heightened protection and handling requirements apply to social security numbers. Organizations and Vendors in the business of destroying records must have policies and procedures in place for the protection and security of personal information.
A breached Organization must notify the Attorney General or the Department of Financial Regulation within 14 days of discovery of a breach and must provide a preliminary description of the breach. Follow-up regulatory notification is required to communicate specific information.
Consumer notification following a breach involving login credentials may be sent through electronic notice to any consumers whose login credentials were wrongfully acquired. The consumer must be given advice on “steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials. Consumer Notification of a breach must be made within 45 days. Organization must notify, without unreasonable delay, all consumer reporting agencies if more than 1000 affected consumers receive breach notification. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notifications.
Vendors of Data Brokers must be contracted. Data Brokers must register with the Security of State and provide detailed information regarding their practices.
Vermont’s security breach notification law is enforced under its Consumer Protection Act, with penalties up to $10,000. Failure to protect personal information is considered an unfair and deceptive act.
Vermont Statutes and Laws
Definitions
Acquisition of brokered personal information; prohibitions
Security breach notice act
Social security number protection act
Document safe destruction act
Data brokers annual registration
Data broker duty to protect information; standards; technical requirements
Restraining prohibited acts
Civil penalty
Protection of personal information
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.