Vermont amends data breach notification statute

Vermont has recently amended its data breach notification statute, and organizations who transact with Vermont residents should be aware of the law’s new requirements.

First, the law currently only requires organizations to notify individuals when Social Security numbers, driver’s license or non-driver’s license identification numbers, and/or financial, credit, or debit account credentials were compromised in a data breach. Effective July 1, 2020, the law will also require business organizations to notify consumers when other government identification numbers, biometric information, genetic information, certain medical information, and email login credentials are compromised.

Second, the law restricts organizations’ ability to notify consumers of a data breach through the media and their own websites in lieu of a letter, telephone call, or email (i.e., via “substitute notice”). Currently, in order to provide substitute notice of data breaches, organizations must demonstrate that (1) the cost of directly notifying consumers via email or telephone would exceed $5,000; (2) the organization lacks sufficient contact information of impacted individuals; or (3) over 5,000 individuals were impacted by the data breach. However, come July 1, 2020, an organization must be able to demonstrate that direct notice would cost more than $10,000 or that it lacks sufficient contact information for impacted individuals. Organizations will no longer be entitled to provide substitute notice based solely on the number of individuals impacted by a particular data breach.

Vermont is widely regarded as a national leader in consumer privacy law, and we therefore expect other states to also expand their own breach notification requirements and restrict the availability and use of substitute notification.

Attorneys from McDonald Hopkins’ national Data Privacy and Cybersecurity practice group are available to counsel organizations on complying with data breach notification statutes and other privacy laws.

+