top of page

Privacy Update: Vermont Tightens Data Breach Laws - What Your Business Needs to Do

Privacy and security issues remain hot topics for lawmakers. Recently, Vermont joined the trend of updating its data breach notification law. Bill S.110 amending Vermont’s Security Breach Notice Act will become effective as of July 1, 2024. Bill S.110 creates new duties and prohibitions with respect to student privacy directed toward educational technology services (similar to a law first enacted in California and later adopted by over 20 states). Here's what you need to know and do to stay compliant.

Key Changes to Vermont’s Security Breach Notice Act:

1.    More Personal Information is Now Protected: Vermont expanded the definition of Personally Identifiable Information (PII). It now includes Social Security numbers, driver’s licenses, financial account details, and also:

·       Taxpayer IDs, passport numbers, and military IDs

·       Biometric data (think fingerprints and retina scans)

·       Genetic info and health records

·       Login credentials (usernames and passwords)


2.    Tougher Rules on Substitute Notice: Previously, you could use substitute notice if direct notice (like a phone call) costs too much or involves more than 5,000 people. Now, substitute notice is only allowed if direct notice costs over $10,000 or if you don’t have enough contact info. No more shortcuts just because a lot of people are involved.


3.    New Student Privacy Protections: Bill S.110 includes protections for student data, especially for K-12 education tech services. No sharing student info for ads!

Action Items for Businesses:

1.    Expand Your PII List: Update your data protection protocols to include the newly added data types. Make sure you’re securing everything from fingerprints to health records.

2.    Review Your Notification Procedures: Check how you handle breach notifications. Be prepared for higher costs of direct notifications and ensure you have up-to-date contact info.

3.    Secure Student Data: If your business deals with educational tech, tighten controls on student data. Avoid using it for non-educational purposes, especially ads.

4.    Boost Your Cybersecurity Measures: With stricter laws, it's time to double down on your data security practices. Regularly audit and update your systems to prevent breaches.

5.    Stay Informed: Keep an eye on privacy laws. They’re changing fast, and staying updated helps avoid legal headaches. Consult an experienced privacy attorney for help with tricky situations.

By following these steps, you can navigate Vermont’s new data breach laws without breaking a sweat. Just remember, better safe (and compliant) than sorry!

©2024 East West General Counsel. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between East West General Counsel and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of East West General Counsel.





bottom of page