Vermont Updates Data Breach Notification Law

Cynthia Larose and Amy Malone describe recent changes to Vermont’s law that strengthens some consumer protections:

Effective as of May 8, 2012, Vermont’s updated data breach law (Act 109) brings along several changes.  The biggest change is in the notification requirements.  Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach (if known).  To further complicate matters, notification to the Vermont Attorney General must occur within 14 business days of either the discovery of the breach or notice to the consumers, whichever is sooner and must include the date of the security breach, date of discovery of the breach and a preliminary description of the breach.

 Read more on JDSupra.  While the changes described above are positive ones, the law has also changed the trigger from acquisition or access to “unauthorized acquisition…or a reasonable belief of an unauthorized acquisition.”  That change will likely reduce the scope of incidents we learn about.

About the author: Dissent

Comments are closed.