Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others.  The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services.  The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.

Data Breach Notification Changes

Vermont’s existing data breach notification law requires data collectors to notify affected Vermont residents and the Vermont Attorney General within a specific time frame following a “security breach,” defined as the unauthorized acquisition of unencrypted PII.  S.B. 110’s amendments to Vermont’s data breach notification law include revisions to the law’s definition of PII that can trigger notification obligations if breached.  The amendments will expand the definition to include a consumer’s name in combination with any of the following data elements:

  • Certain government identification numbers, such as individual taxpayer identification numbers, passport numbers, or military identification card numbers (in addition to driver’s license or state identification card numbers, which are already covered by the existing law);
  • Certain biometric data used for identification or authentication;
  • Genetic information;
  • Certain health records, including records of a “wellness program or similar program of health promotion or disease prevention”;
  • A medical diagnosis or treatment; or
  • A health insurance policy number.

The amendments to the data breach notification law will also include notification obligations resulting from a breach of “login credentials.”  The amendments define “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.”  A breach of login credentials may trigger certain notification obligations to affected individuals and the Vermont Attorney General, with alternative notification methods available if the login credentials relate to a consumer’s e-mail account.  Finally, if the breach only involves login credentials (and no other PII), the bill specifies that the data collector will only be required to notify the Vermont Attorney General if the credentials were acquired directly from the data collector or its agent.  This provision may help clarify notification obligations for breaches involving login credentials that are obtained from the dark web, re-used across accounts, or otherwise breached from a third-party source.

New Student Privacy Law

By passing S.B. 110, Vermont continues the recent trend of states passing laws that directly regulate operators of education technology services.  Vermont’s new student privacy law will apply to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.  The Vermont law places certain restrictions and requirements on operators’ collection, use, disclosure, and retention of “covered information,” which includes certain types of personal information provided by a student, parent, or school employee or agent, or information gathered by the operator that personally identifies a student.

Under the new law, operators will be generally prohibited from:

  • Engaging in targeted advertising based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes;
  • Using information that is created or gathered by the operator’s site, service, or application to amass a profile about a student, except for PreK-12 purposes;
  • Selling, bartering, or renting a student’s information; or
  • Disclosing covered information to a third party, unless a specific exception applies (including certain disclosures for educational purposes).

In addition, operators will be required to:

  • Implement and maintain reasonable security procedures and practices;
  • Delete a student’s covered information within a reasonable time period if the school or school district requests deletion; and
  • Publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.

The law also explicitly permits certain acceptable uses and disclosures of covered information, such as disclosure for legitimate research purposes.  Operators may also use covered information that is not associated with an identified student to improve educational products, demonstrate the effectiveness of products or services, or improve educational services.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.