[BreachExchange] Vermont Updates its Data Breach Notification Law

Destry Winant destry at riskbasedsecurity.com
Tue Jun 2 10:16:27 EDT 2020


As the COVID-19 pandemic presses on, privacy and security matters
continue to be at the forefront for federal and state legislature. We
recently reported that Washington D.C. updated its data breach
notification law. Now, the Vermont legislature also amended its data
breach notification law, with significant overhauls including
expansion of its definition of personal information, and the narrowing
of permissible circumstances under which substitute notice may be
applied. Bill S.110 amending Vermont’s Security Breach Notice Act,
V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil
Scott, and will take effect July 1, 2020.  In addition Bill S.110,
creates a new duties and prohibitions with respect to student privacy
directed towards educational technology services (similar to a law
first enacted in California, and later adopted by over 20 states).

Key updates to Vermont’s Security Breach Notice Act include:

Expansion of Personally Identifiable Information (PII)

Following many other states, the new law will add to the data elements
that if breached could trigger a notification obligation.  Prior to
this amendment, the definition of PII in Vermont was limited to four
basic data elements that when unencrypted, a consumer’s first name or
first initial and last name in combination with:

- Social Security number;
- Driver license or nondriver identification card number;
- Financial account number or credit or debit card number, if
circumstances exist in which the number could be used without
additional identifying information, access codes, or passwords; or
- Account Passwords, personal identification numbers, or other access
codes for a financial account.

The amended law includes these elements, and adds the following when
combined with a consumer’s first name or first initial and last name:

- Individual taxpayer identification number, passport number, military
identification card number, or other identification number that
originates from a government identification document that is commonly
used to verify identity for a commercial transaction;
- Unique biometric data generated from measurements or technical
analysis of human body characteristics used by the owner or licensee
of the data to identify or authenticate the consumer, such as a
fingerprint, retina or iris image, or other unique physical
representation or digital representation of biometric data;
Genetic information; and
- Health records or records of a wellness program or similar program
of health promotion or disease prevention; a health care
professional’s medical diagnosis or treatment of the consumer; or a
health insurance policy number.

The amended law will also include notification requirements for
breaches of “login credentials”. The amendment defines “login
credentials” as “a consumer’s user name or e-mail address, in
combination with a password or an answer to a security question, that
together permit access to an online account.” If a breach is limited
to “login credentials” (and no other PII), the data collector is only
required to notify the Attorney General or Department of Finance, as
applicable, if the login credentials were acquired directly from the
data collector or its agent.

Substitute Notice

Previously, substitute notice was permitted where the cost of Direct
Notice via writing or telephone would exceed $5,000, more than 5,000
consumers would be receiving notice, or the data collector does not
have sufficient contact information.

Under the amended law, substitute notice is only permitted where the
lowest cost of providing Direct Notice via writing, email, or
telephone would exceed $10,000, or the data collector does not have
sufficient contact information. It is no longer permitted to provide
substitute notice where the number of consumers exceed a certain

Student Privacy Law

Finally, Bill S.110 also includes the Student Online Personal
Information Protection Act, which prohibits an “operator” from sharing
student data and using that data for targeted advertising on students
for a non-educational purpose. Under the new law, “operator” means the
operator of an Internet website, online service, online application,
or mobile application used primarily for K-12 purposes, and designed
and marketed as such. The passage of this law is particularly relevant
during the COVID-19 pandemic, as student use of education technology
services has dramatically increased.


This amendment keeps Vermont in line with other states across the
nation currently enhancing their data breach notification laws in
light of recent large-scale data breaches and heightened public
awareness.  Organizations across the United States should be
evaluating and enhancing their data breach prevention and response

More information about the BreachExchange mailing list