On May 8th, Vermont became the most recent state to
amend its security breach notification law (9 V.S.A. §§
2430 and 2435).
The primary changes to Vermont's security breach
notification law are as follows:
The law's notification requirements are no longer triggered
by mere "access" to personally identifiable
information. Actual "acquisition" of the
information (or a reasonable belief thereof) is required in order
for there to have been a security breach under the amended
law. (§ 2430(8)(A))
The amendment adds factors to consider when determining whether
personally identifiable information has been acquired or is
reasonably believed to have been acquired by an unauthorized
person, including indications that the information: (i) is in the
physical possession and control of a person without valid
authorization, (ii) has been downloaded or copied, (iii) was used
by an unauthorized person, or (iv) has been made public.
Companies are required to notify consumers affected by a
security breach within 45 days of discovery or notification of the
breach, whereas prior to the amendment, they merely had to do so
"in the most expedient time possible and without unreasonable
delay..." (§ 2435(b)(1))
Companies are required to notify the Attorney General of
Vermont within 14 business days of the company's discovery of
the breach or when the company provides notice to consumers,
whichever is earlier. The notice to the Attorney General must
include the date of the breach and of its discovery, and a
preliminary description of the breach. There were no such
obligations previously. (§2435(b)(3)(A)(i))
After notifying Vermont consumers affected by a security
breach, companies must provide an additional notice to the Attorney
General of Vermont which includes the number of Vermont consumers
affected (if known) and a copy of the notice provided to affected
consumers. It is recommended that the company also provide a
second copy of the letter with the types of personally identifiable
information involved redacted, which the Attorney General's
office can use for public disclosure purposes.
(§2435(b)(3)(B)(i) and (ii))
The notice letter that must be sent to affected consumers must
now include the approximate date of the incident, in addition to
the other information that was required by the law before it was
Finally, as a result of the amendment, a toll-free number is no
longer required to be included in the notice letter to consumers
unless one is available. (§2430(b)(5)(D))
The National Institute of Standards and Technology (NIST) has released a draft of Securing Electronic Records on Mobile Devices, the institute's first practice guide in a series designed to help organizations improve cybersecurity.
This alert summarizes the ten over-arching recommendations addressed in the FTC's "Start with Security" publication and the practical steps you can take to implement these recommendations and reduce your company's data security risks.
With all the activity going on from a regulatory perspective, it is imperative for companies in this time of hyper-vigilance on this issue to stay abreast of the changing legal landscape and revise information security policies...