You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
- change the information protected to “personally identifiable information” (it was formerly “personal information”);
- exclude from the definition of “security breach” mere “unauthorized access” and “good faith but unauthorized acquisition” of PII;
- require notice of breaches now be made “45 days after the discovery or notification”; and
- require entities suffering a breach to “provide notice of a breach to the attorney general’s office”.
A final cautionary note: Vermont has yet to update its Attorney General’s Security Breach Notification Guidance to match this change in the law.