- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Insurance, Oil & Gas and Pharmaceuticals & BioTech industries
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
- change the information protected to "personally identifiable information" (it was formerly "personal information");
- exclude from the definition of "security breach" mere "unauthorized access" and "good faith but unauthorized acquisition" of PII;
- require notice of breaches now be made "45 days after the discovery or notification"; and
- require entities suffering a breach to "provide notice of a breach to the attorney general's office".
A final cautionary note: Vermont has yet to update its Attorney General's Security Breach
Notification Guidance to match this change in the law.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.