Vermont's amended data breach notification law (Act 109) came into force on 8 May 2012, introducing a requirement for companies to notify consumers no later than 45 days after the discovery of a data breach.
Companies are also required to notify the Attorney General of Vermont within 14 business days, of the date of the breach, the date of discovery of the breach and a preliminary description of the breach.
© 2013 Cecile Park Publishing Ltd. All rights reserved
Act 109 further adopts the widely used 'personally identifiable data' (PII), thus replacing 'personal data' under the previous law.
The definition of security breach is also amended, by removing 'access' from the wording. Breach of data is now defined as an 'unauthorised acquisition of electronic data or a reasonable belief of an unauthorised acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information maintained by the data collector'.
In determining whether PII has been acquired or is reasonably believed to have been acquired by a person without valid authorisation, a data collector may consider whether the information is in the physical possession and control of a person without valid authorisation, such as a lost or stolen computer or other device containing information; or whether the information has been downloaded or copied, among others.