CONTACT >

T: 415.617.9155

E: info@wordsbywit.com

© 2019 by Words by Witkowski.
Proudly created with Wix.com

ABOUT THE SITE >

This site is the personal page of Anthony J. Witkowski III. I am a recent graduate of Northeastern Law and the two projects are the result of two classes, Internet Law & Information Security Law, in the Fall Quarter of 2017. Please visit the About page for more recent work.

Vermont Statutes 9 § 2430 et seq

Enacted:  1.1.2007

Type of Data Covered: Computerized or electronic data. 

Is Breach Defined?

  • (8)  (A) "Security breach" means unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information maintained by the data collector.

    • (B)  "Security breach" does not include good faith but unauthorized acquisition of personally identifiable information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personally identifiable information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

    • (C)  In determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by a person without valid authorization, a data collector may consider the following factors, among others:

      • (i)  indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;

      • (ii)  indications that the information has been downloaded or copied;

      • (iii)  indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or

      • (iv)  that the information has been made public.

When is notice required?

Notice is required for all affected residents "...in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification, consistent with the legitimate needs of the law enforcement agency...or with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system." Notice may be required to the Department of Finance or the Attorney General, depending on who they report to usually. Reports to the regulatory body or the AG should be delivered within 14 business days of discovery and include a description of what happened and when it occurred. A copy of any notice to consumers must be delivered to the Attorney General as well. The content of the notice is governed by § 2435(5) which requires the incident in general terms, the type of information exposed, acts to further protect your data, a contact number for assistance, advice to vigilantly check their accounts, and the approximate date of the breach. Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances, and if over 1,000 residents get notified then consumer credit agencies must be, too.

What are the penalties for non-compliance?

Enforcement is covered in § 2435(g), which reads as follows: 

  • "(g)  Enforcement.

    • (1)  With respect to all data collectors and other entities subject to this subchapter, other than a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Attorney General and State's Attorney shall have sole and full authority to investigate potential violations of this subchapter and to enforce, prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations made pursuant to this chapter as the Attorney General and State's Attorney have under chapter 63 of this title. The Attorney General may refer the matter to the State's Attorney in an appropriate case. The Superior Courts shall have jurisdiction over any enforcement matter brought by the Attorney General or a State's Attorney under this subsection.

    • (2)  With respect to a data collector that is a person or entity licensed or registered with the Department of Financial Regulation under Title 8 or this title, the Department of Financial Regulation shall have the full authority to investigate potential violations of this subchapter and to prosecute, obtain, and impose remedies for a violation of this subchapter or any rules or regulations adopted pursuant to this subchapter, as the Department has under Title 8 or this title or any other applicable law or regulation."