Mandatory Timeframe for Breach Reporting and/or Consumer Notification
14 business days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- Up to $10,000
None to minimal
The data owner must report a breach to the Attorney General or the Department of Financial Regulation within 14 days and must provide a preliminary description of the breach.
Consumer Notification of a breach must be made within 45 days after discovery of a breach.
If consumer notices must be provided to more than 1,000 consumers, the data owner must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Vermont’s security breach notification law is enforced under its Consumer Protection Act, which permits penalties up to $10,000.
Heightened protection and handling requirements apply to social security numbers.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Additional data protection requirements and vendor contract requirements exist for data brokers.