Security Breach Notice Act
In accordance with 9 V.S.A. §§ 2430 and 2435, the Vermont Security Breach Notice Act requires a data collector or other entity regulated by the Department of Financial Regulation (DFR) to provide notice(s) of a security breach to: (1) DFR, (2) the affected consumer, and (3) the owner or licensee of the data or records breached.
Notice to DFR: An entity regulated by DFR must provide notice to DFR within 14 business days of knowing, or having a reasonable belief, that even one Vermont resident was impacted by the breach. For complete information on the notice to DFR, review the Security Breach Notice Act by clicking this link. The Department prefers email notice.
Please direct all notices to DFR at:
Sheila Grace, General Counsel Department of Financial Regulation 89 Main St., Montpelier VT 05620-3101 DFR.SecurityBreach@vermont.gov
Notice to data collectors that own or license the breached data: Any data collector that maintains or possesses data that the data collector does not own, or license shall notify the owner or licensees immediately following discovery of the breach. See 9 V.S.A. § 2435(b)(2)
Notice to consumers: An entity regulated by DFR must provide notice to consumers within 45 days of knowing, or having a reasonable belief, that even one Vermont resident was impacted by the breach.
· For complete information on the required consumer notices, review the Security Breach Notice Act.
Please check out the Frequently Asked Questions and read all Bulletins related to the Security Breach Notice Act.
If you have any questions about security breaches or compliance with the Security Breach Notice Act, please email us at DFR.SecurityBreach@vermont.gov.