Friday, June 08, 2012

Vermont Adds Data Security Breach Notification Requirements to Personal Information Law

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Vermont has amended its Protection of Personal Information law (Vermont Statutes, Title 9, Sec. 2430 through 2445) to add a requirement that data collectors and other entities subject to the law must report data security breaches to the state attorney general within 14 days of discovering the breach, or when the data collector provides notice to consumers, whichever is sooner.

The notification must include the date of the security breach and the date the breach was discovered. The notification also must provide a preliminary description of the breach. If the date of the breach is unknown at the time notice is sent to the attorney general, the data collector must send the attorney general the date of the breach as soon as the date is known.

The law also was changed to provide for a 45-day deadline for data collectors to notify consumers of security breaches affecting their personally identifiable information.

The definition of “security breach” was widened to include a “reasonable belief” that an unauthorized party has acquired electronic data that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information maintained by the data collector.

In determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired, a data collector may take into consideration four factors listed by the amended statute:

(1) Indications that the information in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;

(2) Indications that the information has been downloaded or copied;

(3) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

(4) Indications that the information has been made public.

The law (H.B. 254, Act No. 2012-109) was approved May 22, 2012 and will be effective August 1, 2012. The amended statute will appear in CCH Privacy Law in Marketing.

No comments: