Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers.  Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general with a general description of the incident and certain other information.  Vermont law continues to require businesses to notify consumers of breaches that trigger the notification obligation “in the most expedient time possible and without unreasonable delay.”  However, the amendment imposed an outside window of 45 days to notify consumers. 

The amendments also amended the definition of “security breach.”   Prior to the amendments, “security breach” was defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity” of the data.  The amended language defines a “security breach” as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of the data.  This language is more narrow insofar as access to data is no longer sufficient to trigger a notice obligation―which is now tied only to the acquisition of data.  It is also more broad, however, insofar as either the acquisition or a reasonable belief of the acquisition of data may trigger a notification obligation. 

The updated law provides several factors that data collectors may consider in determining whether a person “acquired” personal information without authorization, including:

  • indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information
  • indications that the information has been downloaded or copied
  • indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported and
  • indications that the information has been made public

The first three of the above four considerations align with those deemed relevant under New York law and by guidance issued by the California Office of Privacy Protection.  The Vermont attorney general has issued its own breach notification guidance, although its guidance has not been updated since the recent amendments.