Security Breach Notice Act
In accordance with 9 V.S.A. §§ 2430 and 2435, the Vermont Security Breach Notice Act requires a data collector or other entity regulated by the Department of Financial Regulation (DFR) to provide notice(s) of a security breach to: (1) DFR, (2) the affected consumer and (3) the owner or licensee of the data or records breached.
Notice to DFR
An entity regulated by DFR must provide notice to DFR within 14 business days of knowing, or having a reasonable belief, that even one Vermont resident was impacted by the breach. For complete information on the notice to DFR, review the Security Breach Notice Act. The Department prefers email notice.
Please direct all notices to:
USPS
Sheila Grace, General Counsel
Vermont Department of Financial Regulation
89 Main Street
Montpelier, VT 05620-3101
DFR.SecurityBreach@vermont.gov
Notice to Data Collectors That Own or License the Breached Data
Any data collector that maintains or possesses data that the data collector does not own, or license shall notify the owner or licensees immediately following discovery of the breach. See 9 V.S.A. § 2435(b)(2)
Notice to Consumers
An entity regulated by DFR must provide notice to consumers within 45 days of knowing, or having a reasonable belief, that even one Vermont resident was impacted by the breach.
For complete information on the required consumer notices, review the Security Breach Notice Act.
Additional Information
See the Frequently Asked Questions and read all Bulletins related to the Security Breach Notice Act.
Questions
Still have questions about security breaches or compliance with the Security Breach Notice Act? Email them to DFR.SecurityBreach@vermont.gov.