Up to $10,000


Mandated Timeframe
Within 14 business days


Vermont Privacy Law Information


A breached Organization must notify the Attorney General or the Department of Financial Regulation within 14 days of discovery of a breach and must provide a preliminary description of the breach. Follow-up regulatory notification is required to communicate specific information.


Consumer notification following a breach involving login credentials may be sent through electronic notice to any consumers whose login credentials were wrongfully acquired. The consumer must be given advice on “steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials. Consumer Notification of a breach must be made within 45 days. Organization must notify, without unreasonable delay, all consumer reporting agencies if more than 1000 affected consumers receive breach notification. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.


Vermont’s security breach notification law is enforced under its Consumer Protection Act, with penalties up to $10,000. Failure to protect personal information is considered an unfair and deceptive act.


Vendors of Data Brokers must be contracted. Data Brokers must register with the Security of State and provide detailed information regarding their practices.


Organizations and Vendors in the business of destroying records must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Heightened protection and handling requirements apply to social security numbers. Organizations and Vendors in the business of destroying records must have policies and procedures in place for the protection and security of personal information.
Organizations must contract with Vendors for the processing of personals information or must have strict oversight (e.g., auditing) of Vendors if no contract exists. Organizations and their Vendors processing personal information in the course of commercial, for profit activities must designate an individual(s) to be responsible for personal information under the Organization’s control. Organizations and their Vendors must have policies and procedures in place for handling of and protection and security of personals information. Organizations must keep internal records of its personal information management practices. The Office of the Privacy Commissioner of Canada (the “OPC”) has the right to audit an Organization’s records.


Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notifications.