On May 8th, Vermont became the most recent state to
amend its security breach notification law (9 V.S.A. §§
2430 and 2435).
The primary changes to Vermont's security breach
notification law are as follows:
The law's notification requirements are no longer triggered
by mere "access" to personally identifiable
information. Actual "acquisition" of the
information (or a reasonable belief thereof) is required in order
for there to have been a security breach under the amended
law. (§ 2430(8)(A))
The amendment adds factors to consider when determining whether
personally identifiable information has been acquired or is
reasonably believed to have been acquired by an unauthorized
person, including indications that the information: (i) is in the
physical possession and control of a person without valid
authorization, (ii) has been downloaded or copied, (iii) was used
by an unauthorized person, or (iv) has been made public.
Companies are required to notify consumers affected by a
security breach within 45 days of discovery or notification of the
breach, whereas prior to the amendment, they merely had to do so
"in the most expedient time possible and without unreasonable
delay..." (§ 2435(b)(1))
Companies are required to notify the Attorney General of
Vermont within 14 business days of the company's discovery of
the breach or when the company provides notice to consumers,
whichever is earlier. The notice to the Attorney General must
include the date of the breach and of its discovery, and a
preliminary description of the breach. There were no such
obligations previously. (§2435(b)(3)(A)(i))
After notifying Vermont consumers affected by a security
breach, companies must provide an additional notice to the Attorney
General of Vermont which includes the number of Vermont consumers
affected (if known) and a copy of the notice provided to affected
consumers. It is recommended that the company also provide a
second copy of the letter with the types of personally identifiable
information involved redacted, which the Attorney General's
office can use for public disclosure purposes.
(§2435(b)(3)(B)(i) and (ii))
The notice letter that must be sent to affected consumers must
now include the approximate date of the incident, in addition to
the other information that was required by the law before it was
Finally, as a result of the amendment, a toll-free number is no
longer required to be included in the notice letter to consumers
unless one is available. (§2430(b)(5)(D))
Data privacy issues keeping you awake at night? Our colleagues, part of Seyfarth's Global Privacy and Security Team (GPS), are here to help shed some light on this increasingly more complex body of law.
Florida businesses will soon have an important and powerful new legal cause of action to combat unauthorized access to protected computer systems or data by employees, former employees, directors, officers, and others.
State breach notification statutes are being amended on almost a monthly basis. Several laws have, or will soon have, a mandatory notification deadline for notifying affected individuals after the discovery of the incident.