• Title 1, Chapter 5, Subchapter 4 3 of the Vermont Statutes (1 V.S.A. §§ 315-320) – Vermont Public Records Act
• Title 9, Chapter 62 of the Vermont Statutes (9 V.S.A. §§ 2430 et seq.) – Protection of Personal Information    
  • 9 V.S.A. §§ 2431, 2446, 2447 – Data Broker Law
  • 9 V.S.A. § 2435 – Vermont Security Breach Notice Act
  • 9 V.S.A. § 2440 – Vermont Social Security Number Protection Act
  • 9 V.S.A. § 2443-2443f – Vermont Student Data Privacy Law
  • 9 V.S.A. § 2445 – Vermont Document Safe Destruction Act
• Title 9, Chapter 63 of the Vermont Statutes (9 V.S.A. §§ 2451 et seq.) – Vermont Consumer Protection Act
  • 9 V.S.A. §§ 2464a-2464d – Telephone Solicitations
  • 9 V.S.A. §§ 2480a-2480n – Vermont Fair Credit Reporting Act
• Title 12, Chapter 63 of the Vermont Statutes (12 V.S.A. §§ 1691 et seq.) – Records and Other Documents
  • 12 V.S.A. § 1691a – Procedure for production of employee personnel records
• Title 13, Chapter 47 of the Vermont Statutes (13 V.S.A. §§ 2001 et seq.) – Frauds
  • 13 V.S.A. § 2030 – Identity theft
• Title 13, Chapter 232 of the Vermont Statutes (13 V.S.A. §§ 8101-8108) – Vermont Electronic Communication Privacy Act
• Title 18, Chapter 42B of the Vermont Statutes (18 V.S.A. §§ 1881-1882) – Health Care Privacy
• Title 18, Chapter 84A of the Vermont Statutes (18 V.S.A. §§ 4281 et seq.) – Vermont Prescription Monitoring System
  • 18 V.S.A. § 4284 – Protection and disclosure of information
• Title 21, Chapter 5, Subchapter 6 of the Vermont Statutes (21 V.S.A. §§ 495 et seq.) – Fair Employment Practices
  • 21 V.S.A. § 495i – Employment based on credit information; prohibitions
  • 21 V.S.A. § 495j – Criminal history records; employment applications
  • 21 V.S.A. § 495l – Social media account privacy; prohibitions
  • 21 V.S.A. § 495m – Salary history; employment applications
• Title 21, Chapter 5, Subchapter 11 of the Vermont Statutes (21 V.S.A. §§ 511 et seq.) – Drug Testing 
  • 21 V.S.A. § 516 – Confidentiality
• Title 22, Chapter 4 of the Vermont Statutes (22 V.S.A. §§ 171-173) – Library Patron Records
• In addition to the above-listed statutes, various regulations in Vermont address privacy matters, including:
  • Vermont Department of Financial Regulation, Banking Division, Regulation B-2018-01, CVR 21-010-016 (Privacy of Consumer Financial and Health Information Regulation)
  • Vermont Department of Banking, Insurance, Securities & Health Care Administration, Division of Insurance, Division of Health Care Administration, Regulation IH-2001-01, CVR 21-020-053 (Privacy of Consumer Financial and Health Information Regulation)
  • Vermont Department of Financial Regulation, Insurance Division, Regulation IH-2002-03, CVR 21-020-055 (Standards for Safeguarding Customer Information)
  • Vermont Department of Financial Regulation, Securities Division, Regulation S-2016-01, CVR 21-030-001 (Vermont Securities Regulations)
  • Vermont Agency of Human Services, CVR 13-000-002 (Consumer Information and Privacy)
  • Vermont Agency of Human Services, CVR 13-001-001 (General Provisions and Definitions)
  • Vermont Agency of Human Services, Department for Children and Families, CVR 13-170-001 (Health Benefits Eligibility and Enrollment)
  • Vermont Agency of Human Services, Department of Health, CVR 13-140-021 (Immunization)
  • Vermont Agency of Human Services, Department of Disabilities, Aging and Independent Living, CVR 13-110-006 (Licensing Regulations for Homes for the Terminally Ill)
  • Vermont Agency of Human Services, Department of Disabilities, Aging and Independent Living, CVR 13-110-009 (Residential Care Home Licensing)
  • Vermont Agency of Human Services, Department of Disabilities, Aging and Independent Living, CVR 13-110-012 (Licensing and Operating Regulations for Therapeutic Community Residences)
  • Vermont Agency of Human Services, Department of Social and Rehabilitation Services, CVR 13-160-003 (Regulations for Commissioner-Designated Shelter Programs)
  • Vermont Agency of Human Services, Division of Licensing and Regulation, CVR 13-162-007 (Licensing Regulations for Family Foster Care)
  • Vermont Department of Public Service, Vermont Enhanced 9-1-1 Board, CVR 31-010-003 (Individual Privacy and the Automatic Location Information (ALI) Display)
  • Vermont Public Utility Commission, CVR 30-000-7600 (Standards for Billing, Credit and Collections, and Customer Information for Telecommunications Carriers)
  • Vermont Agency of Administration, Vermont Department of Taxes, CVR 10-060-004 (Confidentiality of Records)
  • Vermont Agency of Administration, Vermont Department of Taxes, CVR 10-060-033 (Sales and Use Tax Regulations)
  • Vermont Department of Education, CVR 22-000-006 (Special Education Rules)
  • Vermont Attorney General, Consumer Protection Rule CP 112 (Fair Credit Reporting)
     

Note: Key Data Protection Provisions:

Statutes

• The Vermont Security Breach Notice Act requires various notices to be given in the event of a “security breach,” which is defined as either an unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information ("PII") or login credentials.  A breach does not include good faith but unauthorized acquisition of PII or login credentials by any employee or agent of a data collector that is for a legitimate purpose of the data collector provided that the PII or login credentials are not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
• The Vermont Social Security Number Protection Act generally prohibits a public or private entity from communicating, printing, embedding, selling, leasing, lending, trading, renting, disclosing, or requiring use or transmission of social security numbers except as provided for in the statute.
• The Vermont Document Safe Destruction Act requires businesses to take all reasonable steps to destroy or arrange for the destruction of a customer’s records containing personal information that is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable.
• Vermont’s data broker statute requires data brokers annually to register with the Secretary of State and provide certain requested information on their practices. The statute prohibits the acquisition and use of brokered personal information through fraudulent means or for the purposes of stalking or harassment, committing fraud (e.g., identity theft, financial fraud, or e-mail fraud); or engaging in unlawful discrimination.  The statute also requires data brokers to develop, implement, and maintain a written, comprehensive information security program containing administrative, technical, and physical safeguards.  
• Vermont’s Student Data Privacy law regulates operators of websites, online services, online applications, or mobile applications who have actual knowledge that the site, service, or application is used primarily for, and was designed and marketed for, “PreK–12 school purposes” – defined as “purposes that are directed by or that customarily take place at the direction of a school, teacher, or school district; aid in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or are otherwise for the use and benefit of the school.”  The law sets forth various duties on operators, as well as permitted and prohibited acts by such operators, with respect to “covered information” as defined under the law.
• 8 V.S.A. § 10203 prohibits financial institutions and their officers, employees, agents, and directors from disclosing any financial information relating to a customer, except as authorized under the statute, and requires them to adopt reasonable procedures to assure compliance.
• 18 V.S.A. § 1881 prohibits a covered entity to from disclosing protected health information unless the disclosure is permitted under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
• 18 V.S.A. § 4284 requires the Vermont Department of Health to maintain procedures to protect patient privacy, ensure the confidentiality of patient information collected, recorded, transmitted, and maintained, and ensure that information is not disclosed to any person except as expressly allowed. It also prohibits recipients of prescription data from sharing that data with persons other than those enumerated in the statute.
• Vermont’s fair employment practices statute and related provisions regulate, limit, restrict, or prohibit employers from inquiring about, accessing, or using credit reports, credit histories, criminal history records, social media accounts, salary history information, and drug test results.
• 12 V.S.A. § 1691a prevents an employee’s personnel records from being discovered by a party in a civil action without first giving the employee notice and an opportunity to object to the discovery of the records.
• Vermont’s identity theft statute prohibits a person from (1) obtaining, producing, possessing, using, selling, giving or transferring personal identifying information belonging or pertaining to another person with the intent to use that information to commit a misdemeanor or a felony, and (2) knowingly or recklessly obtaining, producing, possessing, using, selling, giving, or transferring personal identifying information belonging or pertaining to another person without the consent of the other person and knowingly or recklessly facilitating the use of that information by a third person to commit a misdemeanor or a felony.
• The Vermont Electronic Communication Privacy Act limits law enforcement’s access to “electronic communications” (defined as “the transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, a radio, the electromagnetic, photoelectric, or photo-optical system”) and “protected user information” (defined as “electronic communication content, including the subject line of e-mails, cellular tower-based location data, GPS or GPS-derived location data, the contents of files entrusted by a user to an electronic communication service pursuant to a contractual relationship for the storage of the files whether or not a fee is charged, data memorializing the content of information accessed or viewed by a user, and any other data for which a reasonable expectation of privacy exists”).
• Vermont’s library patron records statute requires libraries to treat their “patron registration records” and “patron transaction records” as confidential, and prohibits them from disclosing such records except as expressly provided in the statute (e.g., with the written permission of the library patron) or otherwise authorized by law.
• Vermont’s Public Records Act governs the circumstances under which members of the public may inspect or copy public records held by public agencies in Vermont.  The statute observes that “All people . . . have a right to privacy in their personal and economic pursuits, which ought to be protected unless specific information is needed to review the action of a governmental officer.  Consistent with these principles, the General Assembly hereby declares that certain public records shall be made available to any person as hereinafter provided.  To that end, the provisions of this subchapter shall be liberally construed to implement this policy, and the burden of proof shall be on the public agency to sustain its action.”

Regulations

• CVR 13-000-002 governs employees, grantees, and contractors of the Vermont Agency of Human Services in the collection, disclosure, and sharing of consumers’ “Individually Identifiable Information;” notification to consumers regarding Individually Identifiable Information practices; procedures for obtaining permission/authorization to share/disclose Individually Identifiable Information; consumer access to records; and procedures required to protect confidentiality.
• CVR 13-001-001 and CVR 13-170-001 govern the collection and disclosure of personally identifiable information by the Vermont Agency of Human Services.  They require the agency to (a) establish and implement privacy and security standards; (b) establish and implement operational, technical, administrative, and physical safeguards for personally identifiable information; (c) monitor, assess, and update security controls and related system risks; and (d) develop and utilize secure electronic interfaces when sharing personally identifiable information.
• Regulation IH-2002-03, CVR 21-020-055 governs insurers licensed by the State of Vermont regarding the establishment of standards for developing and implementing administrative, technical, and physical safeguards to (a) protect the security, confidentiality, and integrity of customer information; (b) protect against anticipated threats or hazards to the security or integrity of the information; and (c) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to customers.  It requires licensees to develop and implement comprehensive written information security programs.
• Regulation IH-2001-01, CVR 21-020-053 governs insurers licensed by the State of Vermont regarding the treatment of “nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees.”  It requires licensees to provide notice (both initially and annually) to consumers of their privacy policies and practices and sets forth the conditions under which nonpublic personal information may be disclosed.
• Regulation B-2018-01, CVR 21-010-016 governs “financial institutions” regarding the treatment of “nonpublic personal health information” and “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from [financial institutions].”  It requires financial institutions to provide notice (both initially and annually) to consumers of their privacy policies and practices and sets forth the conditions under which nonpublic personal health information may be disclosed.
• Regulation S-2016-01, CVR 21-030-001 requires a Vermont registered investment advisor to “establish and maintain written procedures reasonably designed to ensure cybersecurity,” to “include cybersecurity as part of its risk assessment,” to “maintain evidence of adequate insurance for the risk of cybersecurity breach,” and to “provide identity restoration services at no cost to consumers in the occurrence of breach in the cybersecurity of consumer nonpublic personal information.”
• CVR 30-000-7600 requires telecommunications carriers to take reasonable steps to protect customer privacy, prepare privacy analysis statements for service modifications or technology changes, afford customers the opportunity to have their telephone numbers unlisted/unpublished, allow customers to prevent the display of the calling party’s name and telephone number on a caller identification display device, and notify customers at least annually regarding information that is released to call recipients when the customer places a call to a toll-free or pay-per-call telephone number.
• CVR 10-060-004 generally provides that records and files kept by the Vermont Department of Taxes, including tax returns and return information, are confidential and are not to be made publicly available except as provided by the regulation.
• CVR 10-060-033 requires that certified service providers working on behalf of sellers must perform tax calculations, remittances, and reporting functions without retaining consumers’ “personally identifiable information.”  The regulation also provides that the Vermont Commissioner of Taxes may not retain personally identifiable information that has been collected but is no longer required.  Finally, in certain circumstances, the Commissioner must notify consumers if a request to discover their personally identifiable information is made.
• CVR 22-000-006 addresses privacy matters with respect to students’ “education records,” which are defined as under the federal Family Educational Rights Act of 1974 ("FERPA"), and “personally identifiable information,” defined as “(1) The name of a child, the child’s parent, or other family member; (2) The address of the child; (3) A personal identifier such as the child or parent’s social security number; or (4) A list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty such as the child’s date of birth or disability.”  The regulation contains requirements concerning notices to parents, rights to access records, records of access to education records, amendments of records, hearing procedures, consent for disclosures of personally identifiable information and education records, safeguards to protect the confidentiality, destruction of information, and children’s rights. 
   

• The Vermont Security Breach Notice Act defines “personally identifiable information” as follows:

“A consumer’s first name or first initial and last name in combination with one or more of the following digital data elements, when either the name or the data elements are not encrypted, redacted, or protected by another method that renders them unreadable or unusable by unauthorized persons

1. a Social Security number; 
2. a driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or another identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction; 
3. a financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords; 
4.  a password, personal identification number, or other access code for a financial account; 
5. unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data; 
6. genetic information; and 
7. (i) health records or records of a wellness program or similar program of health promotion or disease prevention; (ii) a health care professional’s medical diagnosis or treatment of the consumer; or (iii) a health insurance policy number.”

Excluded from the definition of “personally identifiable information” is publicly available information that is lawfully made available to the general public from federal, state, or local government records.

• The Vermont Security Breach Notice Act defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.”
• The Vermont Document Safe Destruction Act defines “personal information” is information that identifies, relates to, describes, or is capable of being associated with a particular individual, including signature, Social Security number, physical characteristics or description, passport number, driver's license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
• Vermont’s data broker defines “brokered personal information” to include “one or more of the following computerized data elements about a consumer if categorized or organized for dissemination to third parties:
  1. name;
  2. address;
  3. date of birth;
  4. place of birth;
  5. mother's maiden name;
  6. unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
  7. name or address of a member of the consumer's immediate family or household;
  8. Social Security number or another government-issued identification number; or
  9. other information that alone or in combination with the other information sold or licensed would allow a reasonable person to identify the consumer with reasonable certainty.”  
• "Financial information” is defined as “an original or copy of, or information derived from: (A) a document that grants signature authority over a deposit or share account; (B) a statement, ledger card, or another record of a deposit or share account that shows transactions in or with respect to that deposit or account; (C) a check, clear draft, or money order that is drawn on a financial institution or issued and payable by or through a financial institution; (D) any item, other than an institutional or periodic charge, that is made under an agreement between a financial institution and another person's deposit or share account; (E) any information that relates to a loan account or an application for a loan; or (F) evidence of a transaction conducted by electronic or telephonic means.”
• “Protected health information” is defined as in 45 C.F.R. § 160.103.
• Vermont’s Student Data Privacy Law defines “covered information” as “personal information or material, or information that is linked to personal information or material, in any media or format,” that “personally identifies a student, including information in the student’s education record or electronic mail; first and last name; home address; telephone number; electronic mail address or other information that allows physical or online contact; discipline records; test results; special education data; juvenile dependency records; grades; evaluations; criminal records; medical records; health records; social security number; biometric information; disability status; socioeconomic information; food purchases; political affiliations; religious information; text messages; documents; student identifiers; search activity; photos; voice recordings; or geolocation information.”  To qualify as “covered information,” the information must also meet the following criteria:  (1) it is not publicly available, or it is made publicly available pursuant to the federal Family Educational and Rights and Privacy Act; and (2) it is created by or provided to an operator by a student or the student’s parent or legal guardian in the course of the student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for PreK–12 school purposes; or it is created by or provided to an operator by an employee or agent of a school or school district for PreK–12 school purposes; or it is gathered by an operator through the operation of its site, service, or application for PreK–12 school purposes.
• The Vermont Identity Theft Statute protects “name, address, birth date, Social Security number, motor vehicle personal identification number, telephone number, financial services account number, savings account number, checking account number, credit card number, debit card number, picture, identification document or false identification document, electronic identification number, educational record, health care record, financial record, credit record, employment record, e-mail address, computer system password, or mother’s maiden name, or similar personal number, record, or information.”
• 18 V.S.A. § 4284 protects prescription information.
• Vermont’s fair employment practices statute and related provisions protect employees’ and applicants’ credit reports, credit histories, criminal history records, social media accounts, salary history information, and drug test results.
• 12 V.S.A. § 1691a protects employee personnel records.
• Vermont’s library patron records statute protects “patron registration records” and “patron transaction records.”
• The Vermont Electronic Communication Privacy Act protects “protected user information,” which is defined as “electronic communication content, including the subject line of e-mails, cellular tower-based location data, GPS or GPS-derived location data, the contents of files entrusted by a user to an electronic communication service pursuant to a contractual relationship for the storage of the files whether or not a fee is charged, data memorializing the content of information accessed or viewed by a user, and any other data for which a reasonable expectation of privacy exists.”
• CVR 13-000-002 protects consumers’ “Individually Identifiable Information.”
• CVR 13-001-001 and CVR 13-170-001 protect “Personally Identifiable Information.”
• Regulation IH-2001-01, CVR 21-020-053 protects “nonpublic personal health information” and “nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees.”
• Regulation IH-2002-03, CVR 21-020-055 protects customer information.
• Regulation B-2018-01, CVR 21-010-016 protects “nonpublic personal health information” and “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from [financial institutions].”
• CVR 31-010-003 protects the geographical location of a telephone being used by a caller.
• CVR 30-000-7600 protects information about consumers and their calling patterns.
• CVR 10-060-004 protects records and files kept by the Vermont Department of Taxes, including tax returns and return information.
• CVR 10-060-033 protects consumers’ “personally identifiable information," meaning all information that identifies a person.
• CVR 22-000-006 protects students’ “education records,” which are defined as under the federal Family Educational Rights Act of 1974 ("FERPA"), and “personally identifiable information,” defined as “(1) The name of a child, the child’s parent, or other family member; (2) The address of the child; (3) A personal identifier such as the child or parent’s social security number; or (4) A list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty such as the child’s date of birth or disability.”  

• “Data collectors,” defined as any person or public or private entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information. 
• “Data brokers,” defined as a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
• Public and private entities dealing with social security numbers.
• Businesses with custody or control over personal information.
• “Financial institutions” as defined under 8 V.S.A. § 10202 and Regulation B-2018-01, CVR 21-010-016.
• “Covered entities” as defined in 45 C.F.R. § 160.103.
• Operators of websites, online services, online applications, or mobile applications who have actual knowledge that the site, service, or application is used primarily for, and was designed and marketed for, “PreK–12 school purposes.”
• The Vermont Department of Health and other persons who receive prescription information, data, or reports from the Vermont Prescription Monitoring System.
• CVR 13-000-002 applies to employees, grantees, and contractors of the Vermont Agency of Human Services.
• CVR 13-001-001 applies to the Vermont Agency of Human Services.
• Regulation IH-2001-01, CVR 21-020-053 and Regulation IH-2002-03, CVR 21-020-055 apply to insurers licensed by the State of Vermont.
• Regulation S-2016-01, CVR 21-030-001 applies to securities professionals and to applicants for initial registration as investment advisers.
• Vermont’s fair employment practices statute and related provisions apply to employers in Vermont.
• 12 V.S.A. § 1691a applies to litigants and counsel engaged in civil litigation matters.
• 9 V.S.A. §§ 2464a-2464d apply to telemarketers and others who place telephone calls to make a telephone solicitation, or to induce a charitable contribution, donation, or gift of money or another thing of value.
• The Vermont Fair Credit Reporting Act applies to credit reporting agencies and users of credit reports.
• The Vermont Electronic Communication Privacy Act applies to law enforcement.
• Vermont’s library patron records statute applies to libraries, library officers, employees, and volunteers in Vermont.
• CVR 31-010-003 applies to local exchange carriers, alternative local exchange carriers, and telecommunications companies.
• CVR 30-000-7600 applies to telecommunications carriers.
• CVR 10-060-004 applies to the Vermont Department of Taxes.
• CVR 10-060-033 applies to certified service providers working on behalf of sellers, and also to the Vermont Commissioner of Taxes.
• CVR 22-000-006 applies to various educational institutions in Vermont.

The various statutes and regulations listed above contain various provisions addressing this issue. Also, failure to engage in fair and reasonable data security practices is generally deemed to be a violation of the Vermont Consumer Protection Act.

The various statutes and regulations listed above contain various provisions addressing this issue. Also, failure to engage in fair and reasonable data security practices is generally deemed to be a violation of the Vermont Consumer Protection Act.

The various statutes and regulations listed above contain various provisions addressing this issue. Also, failure to engage in fair and reasonable data security practices is generally deemed to be a violation of the Vermont Consumer Protection Act.

CVR 10-060-033 requires that the Vermont Commissioner of Taxes must provide consumers with reasonable access to their own personally identifiable information in the state’s possession, as well as the right to correct any inaccurately recorded information. 

N/A

The Vermont Security Breach Notice Act contains the following notice requirements for breaches involving PII:

• Preliminary notice must be given to the Vermont Attorney General’s Office or the Vermont Department of Financial Regulation within 14 business days after discovery of a breach or at the same time notice of the breach is provided to consumers, whichever is sooner.  The notice must include the date of the breach, the date of discovery of the breach, a description of the breach (including the number of Vermont consumers affected, if known), and a copy of the notice provided to consumers if already made.  
• Notice to affected consumers must be given as quickly as possible and without unreasonable delay, but no later than 45 days after the discovery of a breach.  The notice must be clear and conspicuous and must include the following if known: a description of the breach itself (in general terms), including the approximate date of the breach and the type of PII that was subject to the breach; a description of the general actions taken to protect the PII from further breaches; a telephone number (toll-free if available) consumers may call for further information and assistance; and advice directing consumers to remain vigilant by reviewing account statements and monitoring free credit reports. The notice may be made by written, electronic, or telephonic means, or in some instances by substitute means (website notice or statewide and regional media notice). 

The Security Breach Notice Act contains the following notice requirements for breaches that are limited to login credentials:

• A data collector is only required to provide notice of the security breach to the Attorney General or Department of Financial Regulation, as applicable, if the login credentials were acquired directly from the data collector or its agent.
• If the login credentials are for an online account other than an e-mail account, the data collector must provide notice to the consumer electronically or through other authorized means (written, telephonic, or substitute) and must advise the consumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.
• If the breach is limited to login credentials for an email account, the data collector may not provide notice of the breach through that email account, and must provide notice through written, electronic, or telephonic means, or in some instances by substitute means, or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an Internet protocol address or online location from which the data collector knows the consumer customarily accesses the account.  

In all cases, the required notice may be delayed if requested to do so by a law enforcement agency. If the request is not made in writing, it must be documented in writing, including the name of the law enforcement agency and officer.  After the agency reports that there is no longer a need to delay the required notification, such notification must be made without unreasonable delay.

Notice of a breach is not required if (1) the data collector establishes that misuse of personal information personally identifiable information or login credentials is not reasonably possible and (2) the data collector provides notice of the determination of this fact and a detailed explanation for the determination to the Vermont Attorney General or to the Department of Financial Regulation, as applicable.  If the data collector subsequently obtains facts indicating that misuse of the personal information personally identifiable information or login credentials has occurred or is occurring, the data collector must provide notice of the breach.

If notice must be provided to more than 1,000 consumers for a breach, notice must also be promptly given to all national consumer credit reporting agencies of the timing, distribution, and content of the consumer notice.

A data collector that is subject to the privacy, security, and breach notification rules adopted in 45 C.F.R. Part 164 pursuant to the federal Health Insurance Portability and Accountability Act is deemed to be in compliance with the Security Breach Notice Act if (1) the data collector experiences a security breach that is limited to personally identifiable information specified in 2430(10)(A)(vii); and (2) the data collector provides notice to affected consumers pursuant to the requirements of the breach notification rule in 45 C.F.R. Part 164.

The Vermont Attorney General’s Office is the primary regulator of matters concerning privacy and data security in Vermont. Other agencies that have issued regulations covering privacy issues include the Vermont Department of Financial Regulation; the Vermont Department of Banking, Insurance, Securities & Health Care Administration; the Vermont Agency of Human Services; and the Vermont Department of Public Service.

The Vermont Security Breach Notice Act is enforced under the same authority as the Vermont Consumer Protection Act. Enforcement actions under the Act may seek injunctive relief and civil penalties of up to USD $10,000 per violation per day. (Other Vermont privacy-related laws contain similar enforcement provisions.) In addition to enforcement actions, a party experiencing a data breach is potentially subject to private lawsuits arising from compromised personal information.

Electronic marketing is generally regulated under the Vermont Consumer Protection Act (Title 9, Chapter 63 of the Vermont Statutes, 9 V.S.A. §§ 2451 et seq.), which covers “unfair methods of competition, unfair or deceptive acts or practices, and anti-competitive practices in order to protect the public and to encourage fair and honest competition.” Also, the Vermont Attorney General issues rules and conducts investigations and enforcement actions in the area of consumer protection.

Vermont has introduced four bills – H.75, H.160, H.233, and H.570. These bills are all still in committee. H.75 proposes the adoption of consumer protection measures allowing consumers to opt-out of using technology for facial and voice recognition, requiring consent for the collection of data from minors, and requiring that businesses operating social networking services provide consumers an option to delete all personally identifiable data in the records upon closing their account. H.160 proposes the adoption of consumer privacy protections giving Vermonters more control over the amount and type of data that personal device manufacturers and service providers collect about them, as well as the adoption of other protections similar to those in the California Consumer Privacy Act. H.233 proposes consumer privacy measures to protect the confidentiality of consumers’ genetic data. H.570 proposes to enhance data privacy protections for consumers.

Note: Vermont’s data broker statute is the first of its kind in the nation. Also, Vermont’s 14-day “preliminary notice” requirement for data breaches is unique to the state.