Vermont Adds New Wrinkles to Data Breach Notification Law

Vermont has made some interesting amendments [.pdf at Sec. 4, p. 9] to its Security Breach Notice Act.  The changes, trumpeted in a recent press release as part of various consumer protection measures, were signed into law on May 8, 2012 to be effective immediately.

The most significant aspects of the revisions are:

  • Consumer notification of a breach must be made within 45 days after discovery of the breach.
  • The Vermont Attorney General must be notified within 14 days after discovery of the breach (or when  the consumers are notified, whichever is sooner).
  • Various factors to be considered in determining whether a breach has occurred include:

(i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;
(ii) indications that the information has been downloaded or copied;
(iii) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
(iv) that the information has been made public.

In adding a 45 day consumer notification requirement, Vermont joins Florida, Wisconsin and Ohio as the only states having a specific time in which to notify.  Most states use vague timing language, i.e. as ”expeditiously” as possible or within a “reasonable” time.

More troubling perhaps is the 14 day notification to Vermont’s Attorney General.   This provision seems like a ham-handed attempt by Vermont to make sure that the AG’s office learns about a data breach before consumers.  In our significant experience in counseling clients on these types of incidents, a 14 day time-period is likely to cause excessive and perhaps unnecessary notifications.  In many cases, two weeks is insufficient time to effectively determine whether a malware event, hacking intrusion or other potential data incident is actually a data breach, where personal information has been exposed to unauthorized individuals.

Vermont’s amended law demonstrates the difficulty that many entities will face in dealing with the patch-work of regulations in the 46 states that have such provisions in place.  Vermont’s law, similar to most states, applies to all entities that maintain information on Vermont residents (regardless of where the business itself is located).  Accordingly, in the wake of a data incident, any business would be wise to engage experienced data breach counsel to assist in navigating these murky waters.