On May 8th, Vermont became the most recent state to
amend its security breach notification law (9 V.S.A. §§
2430 and 2435).
The primary changes to Vermont's security breach
notification law are as follows:
The law's notification requirements are no longer triggered
by mere "access" to personally identifiable
information. Actual "acquisition" of the
information (or a reasonable belief thereof) is required in order
for there to have been a security breach under the amended
law. (§ 2430(8)(A))
The amendment adds factors to consider when determining whether
personally identifiable information has been acquired or is
reasonably believed to have been acquired by an unauthorized
person, including indications that the information: (i) is in the
physical possession and control of a person without valid
authorization, (ii) has been downloaded or copied, (iii) was used
by an unauthorized person, or (iv) has been made public.
Companies are required to notify consumers affected by a
security breach within 45 days of discovery or notification of the
breach, whereas prior to the amendment, they merely had to do so
"in the most expedient time possible and without unreasonable
delay..." (§ 2435(b)(1))
Companies are required to notify the Attorney General of
Vermont within 14 business days of the company's discovery of
the breach or when the company provides notice to consumers,
whichever is earlier. The notice to the Attorney General must
include the date of the breach and of its discovery, and a
preliminary description of the breach. There were no such
obligations previously. (§2435(b)(3)(A)(i))
After notifying Vermont consumers affected by a security
breach, companies must provide an additional notice to the Attorney
General of Vermont which includes the number of Vermont consumers
affected (if known) and a copy of the notice provided to affected
consumers. It is recommended that the company also provide a
second copy of the letter with the types of personally identifiable
information involved redacted, which the Attorney General's
office can use for public disclosure purposes.
(§2435(b)(3)(B)(i) and (ii))
The notice letter that must be sent to affected consumers must
now include the approximate date of the incident, in addition to
the other information that was required by the law before it was
Finally, as a result of the amendment, a toll-free number is no
longer required to be included in the notice letter to consumers
unless one is available. (§2430(b)(5)(D))
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).