Vermont

Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others.  The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services.  The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.
Continue Reading Vermont Enacts Data Breach Notification and Student Privacy Legislation

This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere.  Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws.  Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law.  In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.”  This post examines each state’s amendments in greater detail below.

Colorado

Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines.  Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred.  Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions.  In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach.  As with individual notifications, the notification to the state Attorney General must be provided within 30 days  after the date of determination of a breach.Continue Reading Colorado, Louisiana, and Vermont Add to Recent Trend of Changes to State Data Breach Notification Laws

Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers.  Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general with a general description of the incident and certain other information.  Vermont law continues to require businesses to notify consumers of breaches that trigger the notification obligation “in the most expedient time possible and without unreasonable delay.”  However, the amendment imposed an outside window of 45 days to notify consumers. 

The amendments also amended the definition of “security breach.”   Prior to the amendments, “security breach” was defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity” of the data.  The amended language defines a “security breach” as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of the data.  This language is more narrow insofar as access to data is no longer sufficient to trigger a notice obligation―which is now tied only to the acquisition of data.  It is also more broad, however, insofar as either the acquisition or a reasonable belief of the acquisition of data may trigger a notification obligation. Continue Reading Vermont Amends Breach Notice Requirements

On January 7, 2010, the U.S. Supreme Court agreed to review a Court of Appeals decision striking down Vermont’s prescription confidentiality law.  The State of Vermont had petitioned the Supreme Court to review the case on December 13, 2010, after the Second Circuit ruled that the law constituted an impermissible restriction on commercial speech under the

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the