Vermont

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay but no later than 45 days
Government Notification Required: Yes

Vt. Stat. Ann. Tit. 9, §§ 2430, 2435

Scope of this Summary:

Notification requirements applicable to commercial entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if covered entity determines misuse of covered info is not reasonably possible and provides documentation of determination to Attorney General or Dept. of Financial Regulation, as appropriate. However, the covered entity must notify affected persons if it later gathers facts that indicate the misuse of personal information or login credentials is reasonably possible.

Breach Defined

Unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information or login credentials maintained by a data collector.

Encryption Safe Harbor

Statute does not apply to info that is encrypted, redacted, or protected by another method that renders it unreadable or unusable.

Form of Covered Information

Electronic Only

Covered Information

An individual's first name or first initial and last name in combination with one or more of the following data elements:

  • Social Security number.
  • Driver's license or nondriver state identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction.
  • Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords.
  • A password or personal identification number or other access code for a financial account.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
  • Genetic information.
  • Health records or records of a wellness program or similar program of health promotion or disease prevention; a healthcare professional's medical diagnosis or treatment of the individual; or a health insurance policy number.

The statute also protects login credentials, defined as a consumer's username or email address, in combination with a password or an answer to a security question, that together permit access to an online account.

Consumer Notice Timing

The Vermont statute requires covered entities to give notice to affected persons in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery, consistent with the legitimate needs of a law enforcement investigation or a national or homeland security investigation.

Consumer Notice Method

By written notice, telephone notice (if direct contact with resident via a live call), or electronic notice (if primary method of communication with resident or is consistent with E-SIGN). Substitute notice available if certain criteria are satisfied.

Consumer Notice Content

Notice shall be clear and conspicuous and include a description of each of the following, if known:

  • The incident in general terms.
  • The type of personally identifiable information that was subject to the security breach.
  • The general acts of the entity to protect the personally identifiable information from further security breach.
  • A telephone number, toll-free if available, that the individual may call for further information and assistance.
  • Advice that directs the individual to remain vigilant by reviewing account statements and monitoring free credit reports.
  • The approximate date of the security breach.

If a breach is limited to login credentials for an online account other than an email account, an entity shall:

  • Provide notice of the security breach to the individual electronically or through one or more of the methods specified in the section below and shall advise the individual to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the individual uses the same login credentials.

Delayed Notice

Notification shall be delayed if law enforcement believes notice may impede an investigation or jeopardize public safety or national or homeland security interests. If law enforcement makes the request in a form other than in writing, the covered entity must document the request in writing, including name of officer and agency making the request.

Government Notice

Subject to a law enforcement delay, must provide preliminary notice to the Attorney General (or Dept. of Financial Regulation if regulated by the Dept.) within 14 business days of discovery of the breach. Notice should include date of the breach (if known), date of discovery, and a preliminary description of the breach. This requirement is subject to certain limitations. When consumer notice is provided, the covered entity must provide follow-up notice to the Attorney General or Department, as appropriate, identifying the number of Vermont residents affected, if known, and a copy of the consumer notice.

Consumer Reporting Agency Notice

If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.

Exceptions for Other Laws

Covered entities that are subject to the privacy, security, and breach notification rules set by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are deemed in compliance with the state's notification laws, if the covered entity: Experiences a breach that is limited to health records and provides notice to affected consumers as required by HIPAA's breach notification rule.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.

Private Right of Action

The Vermont statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on November 15, 2023