As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020. In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).
Key updates to Vermont’s Security Breach Notice Act include:
- Expansion of Personally Identifiable Information (PII)
Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation. Prior to this amendment, the definition of PII in Vermont was limited to four basic data elements that when unencrypted, a consumer’s first name or first initial and last name in combination with:
- Social Security number;
- Driver license or nondriver identification card number; • Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
- Account Passwords, personal identification numbers, or other access codes for a financial account.
The amended law includes these elements, and adds the following when combined with a consumer’s first name or first initial and last name:
- Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
- Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- Genetic information; and
- Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.
The amended law will also include notification requirements for breaches of “login credentials”. The amendment defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.
- Substitute Notice
Previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information.
Under the amended law, substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceed a certain threshold.
Student Privacy Law
Finally, Bill S.110 also includes the Student Online Personal Information Protection Act, which prohibits an “operator” from sharing student data and using that data for targeted advertising on students for a non-educational purpose. Under the new law, “operator” means the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 purposes, and designed and marketed as such. The passage of this law is particularly relevant during the COVID-19 pandemic, as student use of education technology services has dramatically increased.
This amendment keeps Vermont in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness. Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.