Vermont recently amended its security breach notification law with a number of changes.  Included in the amendment are changes to the definition of "security breach," guidance on determining whether a breach has occurred, a 45-day deadline for notification, and a requirement of notifying the attorney general of a breach.  The legislation, H.254, became Act 109 following the governor's signature.  For a copy of Act 109, click here.

Act 109 changes the coverage of the law from "personal information" to "personally identifiable information."  This amendment does not affect the substance of the law, but does provide a more descriptive term.  "Personally identifiable information" (PII) is a term commonly used in privacy and security circles.

Next, Act 109 changes the definition of "security breach."  These definitional changes are important because they trigger a duty to notify.  The first change narrows the scope of the definition by deleting the word "access" from the breach notification trigger.  Thus, mere unauthorized access alone does not trigger a duty to notify, even if it otherwise compromises the security of PII.  There must be actual unauthorized "acquisition" of PII.

The amendment also says that "a reasonable belief of an unauthorized acquisition of electronic data" that compromises the security of PII now can trigger a breach notification obligation.  Thus, the data collector does not need to have definitive proof of unauthorized acquisition of PII to have a duty to notify.  As long as the data collector reasonably believes that an acquisition occurred, the data collector must make a notification. 

In determining whether an unauthorized acquisition occurred, the amendment provides some guidance.  The amendment provides a non-exclusive list of factors for the data collector to look at:

  1. Indications that the PII is in the physical possession and control of a person, such as the loss or theft of a device containing PII.
  2. Indications of the downloading or copying of PII.
  3. Indications of unauthorized use, such as identity theft resulting from the breach.
  4. Publication of the PII.

In addition, the amendment now establishes a deadline for breach notification.  The data collector must still notify consumers "in the most expedient time possible and without unreasonable delay," which does not set a firm deadline.  The amendment, however, added a new term setting a 45-day deadline.  The 45 days are counted after discovery or notification of the breach.  Nonetheless, if a law enforcement agency requests a delay in notification past the 45 days, the notification may be delayed to meet "the legitimate needs of the law enforcement agency."

The amendment requires that the data collector notify the attorney general of the breach, including providing information on the number of Vermont consumers affected by the breach, if the data collector knows the number of affected consumers.  The data collector must also provide a copy of the notification to the attorney general's office.  The deadline for notifying the attorney general's office is 14 business days, presumably from the date of discovery.  An amendment to the law enforcement delay provisions makes it clear that notification to the attorney general cannot be delayed based on a law enforcement request.

Finally, the required content of a breach notification has changed.  If the data collector does not know one of the required elements of a notification, it does not need to include that element in the notification.  Under previous law, all the listed elements had to be in the notification.  The amendment added an element of the notification--the approximate date of the security breach.  Finally, the amendment softened the requirement of having a toll-free number to permit consumers to seek further information and assistance.  The data collector need only provide a toll-free number if it is (otherwise) available.  Thus, data collectors need not start using a toll-free number just to make a breach notification.

Companies with customers in Vermont should review the terms of the recent amendment and take the amendment into account in its breach notification planning.  The decision of whether notification is necessary will depend on where a company's customers are located, where it is doing business, and the details of the states' laws that may apply.  There is no substitute for staying current on the laws of all the states that may apply to a company following a breach.

Stephen Wu

Partner, Cooke Kobrick & Wu LLP