26 April 2021
Over the last few years, data breaches increased worldwide. Even though many governments have placed a greater emphasis on securing data, hackers are almost always ahead of the curve, with security professionals playing catch-up.
Business owners and leaders of organizations worldwide have found cybercriminals applying techniques such as supply chain attacks, social engineering tactics, and various types of malware to get inside corporate systems to steal and expose information and ultimately make some cash.
In fact, during the first part of 2019, there were more than five thousand security breaches recorded, which compromised and exposed almost 8 billion data records. The number of breaches in 2019 was more than twice that of the prior year.
Bearing in mind the above information and understanding that there has been a severe lack in the preparedness of businesses to meet security challenges, the state of Vermont passed updates to its Security Breach Notice Act (the Act) which became effective July 1, 2020.
In the article below, we'll go over Vermont's data breach notification law, what it aims to do, whom it applies to, and what your business needs to do to ensure compliance.
According to Vermont's Security Breach Notice Act, which was originally passed in 2006, with subsequent updates in 2012, 2013, 2015, and then in March of 2020, state agencies and businesses have to notify consumers and the Attorney General if they experience a security breach.
The definition of a security breach, according to the Act is the:
"unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency]."
Under the Act, Personally Identifiable Information (PII) is defined as an individual's first initial or first name and last name put together with at least one of the following digital data elements when these elements are not redacted, encrypted or otherwise protected by other methods that render them unusable or unreadable by unauthorized parties:
In addition to the above, the Attorney General's office considers the front of a check that contains the account number, name, and routing number (also potentially the signature and address) to be PII.
TermsFeed is the world's leading generator of legal agreements for websites and apps.
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
Finally, even if a credit card's expiration date and security code (CVV) are not included, the credit card number and name on the card are still considered PII.
As stated at the outset, the Act was amended in 2020 and went into effect on July 1 of that year. This amendment applies only to security breaches for which a data collector was notified or that were discovered after the Act's amendment became enforceable.
Immediately below are the significant changes brought about by the 2020 amendments.
If your company is a data collector and you've suffered a data breach, then you are bound to abide by the regulations set forth in the Act.
The definition of "Data Collector" in this context is an entity that, "for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information."
Other types of entities besides businesses, which are affected by the Act, are state agencies, public and private universities, non-profit organizations, and municipalities.
Similar to many other data protection laws enacted across the United States, your business doesn't have to be located in the state.
If your organization does business in the state of Vermont and if even one state resident's data has been compromised due to a security breach, the Act applies to you.
Many financial institutions are exempt. Here it is, taken from page 22 of the earlier-linked PDF:
Now that you understand a bit about the purpose behind the Act, how it came about and whether or not it applies to you, let's look at what practical steps will need to be taken to comply with the Act.
If you believe that your business has been the victim of a security breach, you should do the following right away:
Go over the steps listed below as soon as you discover a security breach, and do as many of them as you're able, as fast as you can.
As soon as a data breach is discovered, you should immediately disconnect your affected computers from networks and remove the impacted hard drives. This is a reasonable first step in stopping any ongoing information theft, which might still be occurring.
Try to take this step without destroying any evidence law enforcement might need when they investigate.
Additionally, you should:
As noted above, you should get law enforcement involved right away. If you happen to be storing someone else's data, ensure that you contact them immediately.
You'll also need to:
You should never alter, delete, or move files from systems that you believe were affected by a security breach without consulting law enforcement or a forensic expert.
You should also never contact the person or person you believe may have perpetrated the crime.
Finally, never procrastinate when it comes to sending a preliminary notice of a security breach to Vermont's Attorney General.
There isn't a specific requirement to investigate potential breaches. However, it is assumed that you will conduct one. In fact, if you even suspect there's been a breach, but you fail to notify the Attorney General's office and the affected consumers, then you've violated the Act.
Additionally, if you fail to cooperate 100 percent with third-party investigators like the Payment Card Institute (PCI) so that the investigation takes longer than authorities deem it should, you have also violated the Act.
Authorities will look at whether you, as the data collector, have acted in the most expedient manner possible. This is measured from the moment you are notified or first discover a security breach.
Moreover, it's possible that if you fail to properly investigate a security breach, it might be considered a deceptive or unfair act in violation of Vermont's Consumer Protection Act.
Data collectors that do business in the state of Vermont and who maintain or possess PII have to notify the licensors or owners of the PII if they believe that data has been compromised. This is true regardless of whether the PII is in an electronic or hard-copy format.
Electronic or digital formats include:
Remember that data breach laws across the United States are changing at a rapid pace. It's possible that Vermont's data breach notification law could be amended again in the future. Therefore you should pay close attention to updates as they occur so that you can make sure any response plans you have are current.
It's vitally important to remember how short a time you have to notify the office of Vermont's Attorney General in case of even a suspected security breach. You only have 14 days. This is the shortest time frame for notification in the entire United States.
Business owners are advised to ensure that they plan in advance for the possibility of a security breach, have written response policies, and test those response policies regularly.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.