On May 8th, Vermont became the most recent state to
amend its security breach notification law (9 V.S.A. §§
2430 and 2435).
The primary changes to Vermont's security breach
notification law are as follows:
The law's notification requirements are no longer triggered
by mere "access" to personally identifiable
information. Actual "acquisition" of the
information (or a reasonable belief thereof) is required in order
for there to have been a security breach under the amended
law. (§ 2430(8)(A))
The amendment adds factors to consider when determining whether
personally identifiable information has been acquired or is
reasonably believed to have been acquired by an unauthorized
person, including indications that the information: (i) is in the
physical possession and control of a person without valid
authorization, (ii) has been downloaded or copied, (iii) was used
by an unauthorized person, or (iv) has been made public.
Companies are required to notify consumers affected by a
security breach within 45 days of discovery or notification of the
breach, whereas prior to the amendment, they merely had to do so
"in the most expedient time possible and without unreasonable
delay..." (§ 2435(b)(1))
Companies are required to notify the Attorney General of
Vermont within 14 business days of the company's discovery of
the breach or when the company provides notice to consumers,
whichever is earlier. The notice to the Attorney General must
include the date of the breach and of its discovery, and a
preliminary description of the breach. There were no such
obligations previously. (§2435(b)(3)(A)(i))
After notifying Vermont consumers affected by a security
breach, companies must provide an additional notice to the Attorney
General of Vermont which includes the number of Vermont consumers
affected (if known) and a copy of the notice provided to affected
consumers. It is recommended that the company also provide a
second copy of the letter with the types of personally identifiable
information involved redacted, which the Attorney General's
office can use for public disclosure purposes.
(§2435(b)(3)(B)(i) and (ii))
The notice letter that must be sent to affected consumers must
now include the approximate date of the incident, in addition to
the other information that was required by the law before it was
Finally, as a result of the amendment, a toll-free number is no
longer required to be included in the notice letter to consumers
unless one is available. (§2430(b)(5)(D))
The questions that BYOD policies seek to answer are these: (1) Who owns your device? (2) Who owns the information on your device? (3) What happens if that information (or the device itself) gets lost or stolen?
Orrick Cybersecurity & Data Privacy lawyers Emily Tabatabai and Shea Leitch co-authored an article for the International Association of Privacy Professionals' Privacy Tracker on the continued expansion...
He advises on handling internal data breach investigations; supervising forensic examinations and coordinating with law enforcement in investigations of criminal attacks; and regulatory investigations and enforcement actions by the FTC and HHS/OCR.
Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).