Vermont is one of the most recent states to update its data breach notification laws. Bill S-110 was signed into law by Governor Phil Scott on March 5, 2020. These changes to Vermont’s Security Breach Notice Act, effective July 1st, include revisions to breach notification requirements, an expansion on PII, and the addition of a student privacy law. Read more below to find out what that entails.
Breach Notification Requirements
Generally speaking, consumers in Vermont can be notified of a breach in two ways:
- Direct notice: Written notice mailed to the consumer’s home, email notice if it is the primary method of communication and it does not request personal information, or telephone notice provided that the consumer is reached directly.
- Substitute notice: Conspicuously posting the notice on the breached organization’s website and notifying major statewide and regional media.
Substitute notice is now only allowed when the lowest cost of providing direct notice via email, mail, or telephone, exceeds $10K or the organization does not have sufficient consumer contact information. S-110 requires consumer notice regardless of breach scale. The expanded definition of PII (information below) also increases the frequency of breach notifications.
PII Expansion
Like many similar data breach guideline expansions in other states, Vermont’s new law increases consumer notification requirements when a breach of personal information occurs. Previously, personally identifiable information (or PII), was limited to the unencrypted combination of a person’s first name/first initial and last name with:
- Social Security number
- Driver’s license or non-driver ID card number
- Bank account or credit/debit card number
- Financial account passwords, PINs, or other access codes
S-110 requirements add the following to the list above:
- Government identification numbers such as TIN, passport number, or military ID
- Biometric data (fingerprint, retina scan, facial recognition)
- Genetic information
- Health record or insurance number information
PII does not include publicly available information from federal, State, or local government records.
Breaches of login credentials are also covered in this amendment. Login credentials are defined as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” When a breach occurs that only includes login credentials without additional PII (as defined above), only the Attorney General or Department of Finance must be notified.
Student Privacy Law
Modeled after a 2016 California law, the improved Vermont breach law also includes a student privacy component that prohibits technology “operators” from using student and parent data collected through websites, apps, or educational software for non-educational purposes. S-110 places restrictions on covered student information collection, use, and retention. Under this law, covered student information includes:
- Personal information that is created or provided by a student, or the student’s parent or legal guardian, to an operator
- Personal information that is created or provided by an employee or agent of the K–12 school, school district, local education agency, or county office of education to an operator
- Personal information that is gathered by an operator through the operation of a website, service, or application
This information could include a “student’s educational record or e-mail, first and last name, home address, telephone number, e-mail address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, Social Security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information”.
Operators are prohibited from:
- Employing targeted advertising on the operator’s site, service, application, or any other site using obtained personal information as advertising identifiers
- Using obtained information to create a profile about a K–12 student except for school purposes
- Selling a student’s information
- Disclosing covered information unless the disclosure is made in furtherance of the K–12 purpose of the website, service, or application
Operators must:
- Implement and maintain reasonable security procedures and practices to protect data
- Delete a student’s covered information if the school or district requests
Vermont is just the latest state to take the necessary steps to prevent data breaches and defend consumer data in the age of rising cyber crime. As cyber threats grow, now is the time to protect your business by implementing strong cyber security practices.