Mandatory Timeframe for Breach Reporting and/or Consumer Notification
14 business days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- Up to $10,000
None to minimal
The data owner must notify the Attorney General or the Department of Financial Regulation within 14 days of discovery of a breach and must provide a preliminary description of the breach.
Follow up regulatory notification is required to communicate specific information.
Consumer Notification of a breach must be made within 45 days after discovery of a breach.
Specific information must be included in the breach notification to affected residents.
Consumer notification following a breach involving login credentials may be sent through electronic notice to any consumers whose login credentials were wrongfully acquired. The consumer must be given advice on “steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.”
If consumer notices must be provided to more than 1,000 consumers, the data owner must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Vermont’s security breach notification law is enforced under its Consumer Protection Act, which permits penalties up to $10,000.
Heightened protection and handling requirements apply to social security numbers.
If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Additional data protection requirements and vendor contract requirements exist for data brokers.