On May 8th, Vermont became the most recent state to
amend its security breach notification law (9 V.S.A. §§
2430 and 2435).
The primary changes to Vermont's security breach
notification law are as follows:
The law's notification requirements are no longer triggered
by mere "access" to personally identifiable
information. Actual "acquisition" of the
information (or a reasonable belief thereof) is required in order
for there to have been a security breach under the amended
law. (§ 2430(8)(A))
The amendment adds factors to consider when determining whether
personally identifiable information has been acquired or is
reasonably believed to have been acquired by an unauthorized
person, including indications that the information: (i) is in the
physical possession and control of a person without valid
authorization, (ii) has been downloaded or copied, (iii) was used
by an unauthorized person, or (iv) has been made public.
Companies are required to notify consumers affected by a
security breach within 45 days of discovery or notification of the
breach, whereas prior to the amendment, they merely had to do so
"in the most expedient time possible and without unreasonable
delay..." (§ 2435(b)(1))
Companies are required to notify the Attorney General of
Vermont within 14 business days of the company's discovery of
the breach or when the company provides notice to consumers,
whichever is earlier. The notice to the Attorney General must
include the date of the breach and of its discovery, and a
preliminary description of the breach. There were no such
obligations previously. (§2435(b)(3)(A)(i))
After notifying Vermont consumers affected by a security
breach, companies must provide an additional notice to the Attorney
General of Vermont which includes the number of Vermont consumers
affected (if known) and a copy of the notice provided to affected
consumers. It is recommended that the company also provide a
second copy of the letter with the types of personally identifiable
information involved redacted, which the Attorney General's
office can use for public disclosure purposes.
(§2435(b)(3)(B)(i) and (ii))
The notice letter that must be sent to affected consumers must
now include the approximate date of the incident, in addition to
the other information that was required by the law before it was
Finally, as a result of the amendment, a toll-free number is no
longer required to be included in the notice letter to consumers
unless one is available. (§2430(b)(5)(D))
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage's cyber liability insurance policy.
The Ashley Madison site declares on its home page that "Life is short. Have an affair." The home page goes on to state that "Ashley Madison is the world's leading married dating service for discreet encounters."
Evidence collected by the U.S. Department of Homeland Defense (DHS) shows that cyberattacks on key energy infrastructure – particularly the electric system – are increasing in both sophistication and frequency.
On Friday, July 24, the United States Judicial Panel on Multidistrict Litigation issued an Order consolidating in the D.C. Circuit Court of Appeals three timely petitions for review of a July 10, 2015 Declaratory Ruling and Order of the Federal Communications Commission (FCC).