- Duty to Notify Vermont Consumers and Attorney General of a Security Breach
- Security Breach Notices
- Data Security for Businesses
- Use of Social Security Numbers
Duty to Notify Vermont Consumers and Attorney General of a Security Breach
Vermont’s Security Breach Notice Act has been amended effective July 1, 2020. An explanation of the changes can be found here.
Vermont’s Security Breach Notice Act requires businesses and state agencies to notify the Attorney General and consumers in the event a business or state agency suffers a “security breach.” A security breach is defined as the “unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency].”
14-day Notice: Businesses are required to notify the Office of the Attorney General within 14 days of discovering or being notified of a breach. This notification may be preliminary, and is kept confidential by statute. The form for submitting this Preliminary Notice can be found here. The form of affirmation required to waive the 14-day preliminary notice requirement can be found here (PDF).
Notice to Consumers: The notification to consumers must be sent as soon as possible and without unreasonable delay, and no later than 45 days after discovery or notice of the breach. Depending on the size of the breach, the notice must be individual in a specific form or through mass media. The form for submitting the Consumer Notice can be found here.
Information on what to do in the event of a security breach is available in the Vermont Attorney General’s Security Breach Notification Guidance.
Security Breach Notices
The Attorney General maintains a list of notice letters received by the Office concerning incidents that may have compromised the personal information of Vermont residents.
Data Security for Small Businesses
If you would like to be added to our Data Security distribution list or have any questions about Data Security, please email ago.datasecurity@vermont.gov.
There are many helpful resources for Data Security guidance. Below are just a few:
Cybersecurity For Small Business Webinar
As a part of the Small Business Initiative, this Cybersecurity for Small Businesses training is a webinar about protecting your small business from data breaches, scams, and cyber-attacks.
Use of Social Security Numbers
Vermont’s Social Security Number Protection Act requires businesses and state agencies to limit the use of Social Security Numbers and protect their confidentiality. In particular:
- Businesses must safely destroy records that contain Social Security Numbers and other personal information.
- State agencies and political subdivisions must take all reasonable steps to redact Social Security Numbers from a document before posting it in a public place.
- Upon request, a town clerk or clerk of court must remove from a record placed on a town’s or court’s public website the person’s Social Security Number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) or password.
More information about all of these laws and recommended practices for protecting the confidentiality of Social Security Numbers is available in the Vermont Attorney General’s Guidance Concerning the Protection of Social Security Numbers.
