Amendments to Vermont's Security Breach Notification Law
The Vermont Attorney General announced new amendments to Vermont's security breach notification law.
On June 1, 2012, the Vermont Attorney General announced amendments to the state's security breach notification law. The changes were signed into law in early May and became effective immediately.Close speedread
On June 1, 2012, the Vermont Attorney General announced in a press release new amendments to the state's security breach notification law. The changes are part of Vermont's enhancements to the state's consumer protection laws. Governor Peter Shumlin signed the changes into law in early May 2012, and they took effect immediately.
The amendments notably change Vermont's security breach notification law by:
Expanding the definition of "security breach" to require notification when there is a " reasonable belief" of a breach.
Narrowing the definition of "security breach" to now cover only unauthorized acquisitions, but not unauthorized access, of electronic data.
Imposing a new 45-day requirement for notifying affected consumers within 45-days of discovering a security breach.
Including a new general requirement that data collectors notify the attorney general of a security breach. Among the new requirements, the data collector must, within 14 days of discovering the breach or, if sooner, when it notifies consumers, provide the Attorney General with:
the date of the security breach. If the date of the breach is unknown when notice is sent, the data collector can send the date as soon as it is known;
the date of discovery of the breach; and
a preliminary description of the breach.
When the data collector notifies affected consumers the breach, it must also notify the attorney general of the number of affected Vermont consumers, if known, and give the attorney general a copy of the notice to consumers.