DBN Statutes – Vermont

Data Breach Notification Statutes – Vermont

Last Updated: 02/28/2024

  • Applicable Statute: 9 Vt. Stat. Ann. §§ 2430, 2435
  • Attorney General Notice Required : Yes
    • Timing : Within 14 business days of the date the entity discovers the breach or the date provided to consumers, whichever is sooner.
    • Method: Online form at https://ago.vermont.gov/form/vermont-state-security-breach-preliminary-reporting-form
    • Content : Must provide notice to the Attorney General or Department of Financial Regulation:
      • Within 14 business days of the date the entity discovers the breach or the date provided to consumers, whichever is sooner.
      • If notice of breach is provided to consumers, notification to the AG or Department should include: the number of Vermont residents affected, if known, and provide a copy of notice sent to consumers.
      • Entity must give the date the breach occurred, the date the breach was discovered, and a description of the breach. If the date of the breach is not known, the entity must send notice to the Attorney General or the Department of Financial Regulation as soon  as the date becomes known.
      • If regulated by the Department of Financial Regulation, then must provide notice to the Department. All other entities must provide notice to the Attorney General.
    • Any Entity that has, prior to the breach, sworn in writing on a form and in a manner prescribed by the AG that it maintains written policies and procedures to maintain the security of PI and respond to breaches in a manner consistent with state law shall notify the AG before providing notice to consumers.If the breach is limited to the unauthorized acquisition of login credentials, notice is only required to the Attorney General or Department of Financial Regulation if the login credentials were acquired directly from the entity or its agent.
  • Consumer Notice Requirements:
    • Timing: Must be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system. 
    • Content: Notice involving personally identifiable information must be clear and conspicuous, and include a description of each of the following, if known:
      • The incident in general terms;
      • The type of personal information that was subject to the breach;
      • The general acts taken to protect the personal information from further security breach;
      • A telephone number, toll-free if available, that the consumer may call for further information and assistance;
      • Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and
      • The approximate date of the security breach. 
    • Method:
    • Written notice mailed to residence; live telephonic notice made directly with each Vermont resident ; or electronic notice if the entity has a valid email address for the resident and: (1) it is consistent with the provisions regarding electronic records and signatures set forth in E-SIGN; or (2) the entity’s primary method of communication with the resident is by electronic means, the electronic notice does not request or contain a link to a request that the consumer provide personal information, and it conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches.
    •  If a breach is limited to login credentials for an online account, notice of the breach must be provided to the consumer electronically or through one or more of the methods described above and shall advise theconsumer to take steps necessary to protect the online account, including to change his or her login credentials for the account and for any other account for which the consumer uses the same login credentials.
    •  If a breach is limited to login credentials for an email account, notice of the breach must not be provided through the email account. The entity must provide notice through one of the methods described above or by clear and conspicuous notice delivered to the consumer online in which the entity knows the consumer customarily accesses.
  • Consumer Reporting Agency Obligations: If more than 1,000 residents are notified, the entity must also notify without unreasonable delay all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required