ACT NO. 162
Commerce and trade; consumer protection; personal information
This act enacts a Security Breach Notice Act, a Social Security Number Protection Act, and a Document Safe Destruction Act. The Security Breach Notice Act requires any data collector that owns or uses computerized personal information concerning a consumer to notify the consumer when there has been a security breach. A "data collector" includes any state agency, university, corporation, limited liability company, financial institution, retail operator, or other entity that handles, collects, disseminates, or otherwise deals with nonpublic information. However, until June 30, 2008, Vermont law enforcement agencies, including the department of public safety, shall not be considered data collectors. "Personal information" means an individual's first name or first initial and last name in combination with a Social Security number, driver's license number, account number, credit card number, account password, or personal identification number. Personal information does not mean publicly available information in government records. A "consumer" is a Vermont resident. Notice of a security breach to a consumer shall be delayed if necessary for law enforcement or homeland security purposes. Notice to consumers of a security breach may be direct, through written and mailed notice, telephonic notice, or e-mail notice. Substitute notice is authorized when the data collector would need to spend more than $5,000.00 on written or telephonic notice or the class of affected consumers exceeds 5,000 persons. Authorized substitute notice includes posting on the data collector's website and notification of statewide and regional media. If a data collector is required to inform more than 1,000 consumers of a security breach, the data collector also must notify consumer reporting agencies of the breach. Notice of a security breach to a consumer is not required if the data collector determines that the misuse of the compromised personal information is not reasonably possible. The data collector would need to contact the attorney general's office or the department of banking, insurance, securities, and health care administration (BISHCA)--if the data collector is licensed or registered with the agency--of the determination that misuse of the personal information was not reasonably possible. If the data collector subsequently determines that misuse of personal information has occurred or is occurring, the data collector must notify the consumer. The requirements of the Security Breach Notice Act cannot be waived. Financial institutions subject to certain federal interagency guidance regarding consumer information are exempt from the Security Breach Notice Act. The attorney general has the same enforcement authority for the Security Breach Notice Act as it does under the Consumer Fraud Act. BISHCA has the same enforcement authority as it possesses under Title 8 for persons licensed or registered with the department. In actions against the state or a state agency data collector, an individual shall have the right to seek an injunction.
The Social Security Number Protection Act prohibits certain business use of Social Security Numbers (SSNs), including intentionally communicating or making an SSN available to the public; intentionally printing an SSN on any card required for access services; requiring an individual to transmit an SSN over the internet unless the internet connection is secure; printing an SSN on any materials that are mailed to an individual unless required by law; and selling, leasing, lending, trading, or otherwise intentionally disclosing an individual's SSN to a third party without consent. Certain uses of SSNs are exempt from the requirements of the Social Security Number Protection Act, including: (1) when an SSN is needed to obtain a credit report; (2) the use of an SSN for necessary administrative purposes or internal verification; (3) when an SSN is needed to open an account or pay for a service; (4) the collection, use, or release of an SSN to investigate fraud, conduct background checks, or collect a debt; and to undertake a permissible purpose enumerated in the federal regulations known as Gramm Leach Bliley; (5) when an SSN is required by law; (6) when a business provides an SSN to a government agency; and (7) when a business is currently using an SSN inconsistent with the act, provided that the use of the SSN is continuous, the individual whose SSN is being used is notified and informed of the right to terminate the use; and a written request by an individual to stop the use of the SSN is implemented within 30 days of the receipt of the request. The Social Security Number Protection Act also applies to state use of SSNs. Under the act, states may not: (1) collect an SSN unless related to the performance of the agencies' duties; (2) fail to segregate an SSN from the rest of a record; (3) fail to provide an individual with a statement on the need for the SSN being collected; (4) use the SSN for any purpose other than what is stated; (5) intentionally communicate or otherwise make an SSN available to the general public; (6) print an SSN on any card required for access to government services; (7) require an individual to transmit an SSN over the internet, unless the internet connection is secure; (8) require an individual to use an SSN to access an internet website; and (9) print an individual's SSN on any materials that are mailed to an individual unless required by law. Certain state uses of SSNs are exempt from the requirements of the act, including: (1) SSNs disclosed to another government agency if necessary for the receiving entity to perform its duties; (2) SSNs disclosed pursuant to court order; (3) SSNs disclosed for public health purposes; (4) the use for administrative purposes or internal verification; (5) SSNs that have been redacted; (6) current state or state agency use of a SSN inconsistent with the act, provided that the use of the SSN is continuous, the individual whose SSN is being used is notified and informed of the right to terminate the use, and a written request by an individual to stop the use of the SSN is implemented within 30 days of the receipt of the request; (7) certified copies of vital records issued by the department of health; (8) a recorded document on the official records of a town clerk; and (9) court records. Any person has the right to request that a town clerk or court clerk remove from an internet website that is available to the general public a public record that contains that person's personal information. Town clerks or court clerks shall not be liable for any damages that may result from an SSN or other personal information on a website available to the general public. The attorney general has the same enforcement authority for the Social Security Number Protection Act as it does under the Consumer Fraud Act. BISHCA has the same enforcement authority as it possesses under Title 8. In actions against the state or a state agency data collector, an individual shall have the right to seek an injunction.
Under the Document Safe Destruction Act, a business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records when those records contain personal information which is no longer to be retained by the business. Destruction must make the records unreadable or indecipherable to ensure security, protect against security threats, and protect against unauthorized access. For purposes of the Document Safe Destruction Act, "business" means sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this state, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but in no case shall it include the state, a state agency, or any political subdivision of the state. Exemptions to the Document Safe Destruction Act include: (1) any bank, credit union, or financial institution as defined by the federal Gramm Leach Bliley law that is subject to listed federal regulations regarding document destruction; (2) any health insurer or health care facility in compliance with the security standards of the Health Insurance Portability and Accountability Act; and (3) any consumer-reporting agency that is subject to and in compliance with the Federal Credit Reporting Act. Businesses that dispose of personal information must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access or use of personal information. The attorney general has the same enforcement authority for the Document Safe Destruction Act as it does under the Consumer Fraud Act. BISHCA has the same enforcement authority as it possesses under Title 8 for persons licensed or registered with the agency.
In addition, the act specifically authorizes the use of SSNs on applications for victim's compensation and when needed by the restitution unit of crime victim's board for the purpose of collecting restitution and enforcing restitution judgment orders. The act also extends until June 30, 2007, the sunset on an exemption to the public records act for SSNs or other governmentally assigned personal identification numbers contained in a municipal computerized assessment, a municipal grand list, or property transfer tax returns.
Effective Date: January 1, 2007, except that the Social Security Number Protection Act in 9 V.S.A. § 2440 takes effect July 1, 2007.
The Vermont General Assembly
115 State Street