Mandatory Timeframe for Breach Reporting and/or Consumer Notification

14 business days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach Notification Laws:
- Up to $10,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The data owner must notify the Attorney General or the Department of Financial Regulation within 14 days of discovery of a breach and must provide a preliminary description of the breach.
  • Follow up regulatory notification is required to communicate specific information.
  • Consumer Notification of a breach must be made within 45 days after discovery of a breach.
  • Specific information must be included in the breach notification to affected residents.
  • Consumer notification following a breach involving login credentials may be sent through electronic notice to any consumers whose login credentials were wrongfully acquired. The consumer must be given advice on “steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.”
  • If consumer notices must be provided to more than 1,000 consumers, the data owner must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Vermont’s security breach notification law is enforced under its Consumer Protection Act, which permits penalties up to $10,000.
  • Heightened protection and handling requirements apply to social security numbers.
  • If a vendor is breached, they must notify the data owner.  The data owner will be responsible to complete any required regulatory and consumer notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Additional data protection requirements and vendor contract requirements exist for data brokers.
Statutes and Laws
  • 8 V.S.A. § 2243 Banding and Insurance – Licensed Lenders: Confidentiality
  • 9 V.S.A. §§ 2430, 2431 Definitions; Acquisition of Brokered Personal Information; Prohibitions
  • 9 V.S.A. § 2435 Security Breach Notice Act
  • 9 V.S.A. § 2440 Social Security Number Protection Act
  • 9 V.S.A. § 2445 Document Safe Destruction Act
  • 9 V.S.A. § 2446 Data brokers Annual Registration
  • 9 V.S.A. § 2447 Data broker duty to protect information; standards; technical requirements
  • 9 V.S.A. § 2458 Restraining prohibited acts
BAck to map