The state of Vermont recently amended its security breach legislation. Most notably, the updated legislation now has a revised definition of a security breach and requires a rapid notification to consumers and the Vermont attorney general after discovery of a breach.
Specifically, the definition of a “security breach” was amended to delete the word “access,” which means that unauthorized access is no longer enough to trigger the notice requirement absent evidence that the information was acquired. Under the amended legislation, notice is required where there is an “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information.” Additionally, where a breach occurs, a data collector must notify the state attorney general within 14 days or at the time consumers are notified — whichever is sooner. However, consumers must be notified within 45 days of a security breach.
While the alteration of the definition of a security breach is significant, businesses may be most affected by the new rapid notice requirement. Now, within 14 days of a “reasonable belief” that there has been unauthorized acquisition to consumers’ personally identifying information, the data collector must report the breach to the attorney general. Under the law, “personally identifying information” includes an individual’s name plus an unencrypted or unredacted Social Security number, motor vehicle license number, identification number, or financial account information. This notice requirement means that businesses must work quickly to asses a breach so that they can notify the attorney general within the required time limit if they determine an acquisition occurred.
While Vermont is but one of many states to have a security breach notification statute, it is the latest to update its statute. Companies that collect consumers’ personally identifying information should be aware of the state statutes governing the protection of personally identifying information as well as notice requirements where such information is impermissibly accessed or acquired. Security breaches are cost and time-intensive matters to resolve. And, where a state requires notice to the attorney general, this notice must be sent within the required time periods to avoid additional penalties as a result of the breach.