On March 5, 2020, Gov. Phil Scott (VT-R) signed into law amendments to the Security Breach Notice Act (the “Act”). The amendments, which originated in the State Senate as part of an initiative addressing a number of data privacy issues (S. 110), took effect on July 1, 2020. On July 14, 2020, Vermont Attorney General (AG) TJ Donovan published a comprehensive guidance document to assist companies and other types of data controllers with compliance. This is the first material update to the AG’s guidance about the Act since September 2014. See our previous post explaining the most significant changes to the Act for more information.
The AG’s guidance notes that it is not directed to entities regulated by the Vermont Department of Financial Regulation (DFR) (the Act mandates that data collectors report security breaches not only to affected consumers, but also to the AG or DFR, depending on whether they are regulated by the DFR or not). However, the guidance still provides helpful interpretations and applications of the Act that, while not legal advice, may shed light into how data collectors may best comply with the Act to avoid enforcement actions.
The guidance is organized as a set of helpful FAQ questions to assist data collectors determine if they are subject to the Act and provides a quick-reference guide for what to do if you are a business or state agency that has suffered (or suspects to have suffered) a data security breach. However, these steps should be viewed with caution, as they are writ ..
Support the originator by clicking the read the rest link below.
