Download this document in MS Word format


AutoFill Template

S.284

Introduced by   Senator Coppenrath of Caledonia District and Senator White of Windham District

Referred to Committee on

Date:

Subject:  Commerce and trade; consumer protection; personal information

Statement of purpose:  This bill proposes to require any data collector of personal information to disclose to an individual if there was an unauthorized acquisition or access to the individual’s personal information that the collector owns or is using.  Notice would not be required if the data collector establishes that the misuse of the personal information is not reasonably possible, and the data collector notifies the attorney general or the department of banking, insurance, securities, and health care administration.  The bill would also prohibit certain business or state agency use of an individual’s Social Security number.  In addition, the bill would require any business in the state that maintains or otherwise possesses personal information of Vermont residents to take all reasonable measures to protect against unauthorized access to or use of the information.  Such measures shall include document destruction and electronic media policies.

AN ACT RELATING TO THE PROTECTION OF PERSONAL INFORMATION

It is hereby enacted by the General Assembly of the State of Vermont:

Sec. 1.  9 V.S.A. chapter 62 is added to read:

CHAPTER 62.  PROTECTION OF PERSONAL INFORMATION

Subchapter 1.  General Provisions

§ 2430.  DEFINITIONS

As used in this chapter:

(1)  “Consumer” means an individual residing in this state.

(2)  “Data collector” may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information.

(3)  “Encryption” means use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.

(4)(A)  “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i)  Social Security number;

(ii)  Driver’s license number or state identification card number;

(iii)  Account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords;

(iv)  Account passwords or personal identification numbers or other access codes;

(v)  Any item provided in subdivisions (i) through (iv) of this subdivision (4)(A) when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform identity theft against the person whose information was compromised.

(B)  “Personal information” does not mean publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(5)  “Records shall mean any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(6)  “Redaction” shall mean the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data.

(7)(A)  “Security breach” means unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

(B)  “Security breach” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

Subchapter 2.  Security Breach

§ 2435.  NOTICE OF SECURITY BREACHES

(a)  This section shall be known as the Security Breach Notice Act.

(b)  Notice of breach.

(1)  Any data collector that owns or uses computerized personal information that includes personal information concerning a consumer shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach.  Notice of the breach is not required if the data collector establishes that misuse of the information is not reasonably possible and the data collector provides notice of the determination that the misuse of the information is not reasonably possible pursuant to subdivision (4) of this subsection.  Notice of the breach shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of the law enforcement agency, as provided in subdivision (3) of this subsection, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

(2)  Any data collector that maintains or possesses computerized data containing personal information of a consumer that the business does not own or license or any data collector that conducts business in Vermont that maintains or possesses records or data containing personal information that the data collector does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subdivision (3) of this subsection.

(3)  The notice required by this section shall be delayed if a law enforcement agency informs the data collector that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the data collector documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation.  The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the data collector its determination that notice will no longer impede the investigation or jeopardize national or homeland security.

(4)  If the data collector establishes that misuse of the information is not reasonably possible pursuant to subdivision (1) of this subsection, the data collector shall provide notice of its determination that misuse of the information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or, in the event that the data collector is an insurer licensed to do business in the state, to the department of banking, insurance, securities, and health care administration.  The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as “trade secret” if the notice and detailed explanation meets the definition of trade secret contained in subdivision 317(c)(9) of Title 1.

(5)  The notice shall be clear and conspicuous.  The notice shall include a description of the following:

(A)  The incident in general terms.

(B)  The type of personal information that was subject to the unauthorized access or acquisition.

(C)  The general acts of the business to protect the personal information from further unauthorized access or acquisition.

(D)  A telephone number that the consumer may call for further information and assistance.

(E)  Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

(6)  For purposes of this section, notice to consumers may be provided by one of the following methods:

(A)  Direct notice to consumers, which may be by one of the following methods:

(i)  Written notice mailed to the consumer’s residence;

(ii)  Electronic notice, for those consumers for whom the data collector has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing as set forth in 15 U.S.C. § 7001; or

(iii)  Telephonic notice, provided that telephonic contact is made directly with each affected consumer, and the telephonic contact is not through a prerecorded message.

(B)  Substitute notice, if the data collector demonstrates that the cost of providing written or telephonic notice, pursuant to subdivisions (6)(A)(i) or (iii) of this subsection, to affected consumers would exceed $5,000.00 or that the affected class of affected consumers to be provided written or telephonic notice, pursuant to subdivision (6)(A)(i) or (iii) of this subsection, exceeds 5,000, or the data collector does not have sufficient contact information.  Substitute notice shall consist of all of the following:

(i)  conspicuous posting of the notice on the data collector’s web site page if the data collector maintains one; and

(ii)  notification to major statewide and regional media.

(c)  In the event a data collector provides notice to more than 1,000 consumers at one time pursuant to this section, the data collector shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

(d)  Any waiver of the provisions of this subchapter is contrary to public policy and is void and unenforceable.

(e)  A financial institution that is subject to and in compliance with the following guidances, and any revisions, additions, or substitutions relating to any interagency guidance, shall be deemed to be in compliance with this section:

(1)  The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or

(2)  Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration.

(f)(1)  With respect to all data collectors and other entities subject to this subchapter, other than insurers licensed to do business in the state, the attorney general, state’s attorney, and courts shall have full authority to prosecute, obtain and impose remedies for a violation of this subchapter, or any rules or regulations made pursuant to this chapter, as the attorney general, state’s attorney and courts have under section 2458 of this title, including restraining acts, dissolving domestic corporations, revoking the certificate of authority granted a foreign corporation, obtaining any other temporary or permanent relief, or both, imposing a civil penalty of not more than $10,000.00 for each violation, ordering restitution of cash or goods on behalf of a consumer or a class of consumers similarly situated, and ordering reimbursement to the state of Vermont for the reasonable value of its services and its expenses in investigating and prosecuting the action.  Whenever the attorney general or state’s attorney has reason to believe any data collector or other entity subject to this subchapter, other than insurers licensed to do business in the state, to be or to have been in violation of this section, or of any rule or regulation made pursuant to this section, the attorney general and state’s attorney shall have full authority to conduct a civil investigation pursuant to section 2460 of this title.  The attorney general shall have authority to make rules and regulations, when necessary and proper to carry out the purposes of this subchapter, with respect to any data collector or other entity subject to this subchapter, other than insurers licensed to do business in the state.

(2)  With respect to insurers licensed to do business in the state, the department of banking, insurance, securities, and health care administration shall have the full authority to prosecute, obtain, and impose remedies that it possesses under part 3 of Title 8 for a violation of this subchapter or any rules or regulations adopted pursuant to this subchapter.

Subchapter 3.  Social Security Number Protection

§ 2440.  SOCIAL SECURITY NUMBER PROTECTION

(a)  This section shall be known as the Social Security Number Protection Act.

(b)  Except as provided in subsection (c) of this section, a business may not do any of the following:

(1)  Intentionally communicate or otherwise make available to the general public an individual’s Social Security number.

(2)  Intentionally print or imbed an individual’s Social Security number on any card required for the individual to access products or services provided by the person or entity.

(3)  Require an individual to transmit his or her Social Security number over the internet unless the connection is secure or the Social Security number is encrypted.

(4)  Require an individual to use his or her Social Security number to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website.

(5)  Print an individual’s Social Security number on any materials that are mailed to the individual, unless state or federal law requires the Social Security number to be on the document to be mailed.

(6)  Sell, lease, lend, trade, rent, or otherwise intentionally disclose an individual’s Social Security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual’s Social Security number.

(c)  Subsection (b) of this section shall not apply:

(1)  When a Social Security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy; or to confirm the accuracy of the Social Security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. § 1681(b)(2).  A Social Security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope visible on the envelope or without the envelope having been opened.

(2)  To the collection, use, or release of a Social Security number for internal verification or administrative purposes.

(3)  To the opening of an account or the provision of or payment for a product or service authorized by an individual.

(4)  To the collection, use, or release of a Social Security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the fair credit reporting act, 15 U.S.C. § 1681, et seq; undertake a permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15; or locate an individual who is missing, is a lost relative, or is due a benefit, such as a pension, insurance, or unclaimed property benefit.

(5)  To a business acting pursuant to a court order, warrant, subpoena, or when otherwise required by law.

(6)  To a business providing the Social Security number to a federal, state, or local government entity, including a law enforcement agency and court, or their agents or assigns.

(7)  To a Social Security number that has been redacted.

(8)  To a business that has used, prior to July 1, 2006, an individual’s Social Security number in a manner inconsistent with subsection (b) of this section, which may continue using that individual’s Social Security number in that manner on or after July 1, 2006, if all of the following conditions are met:

(A)  The use of the Social Security number is continuous.  If the use is stopped for any reason, subsection (b) of this section shall apply.

(B)  The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her Social Security number in a manner prohibited by subdivision (b) of this section.

(C)  A written request by an individual to stop the use of his or her Social Security number in a manner prohibited by subsection (b) of this section within 30 days of the receipt of the request.  There may not be a fee or charge for implementing the request.

(D)  The person or entity does not deny services to an individual because the individual makes a written request pursuant to this subsection.

(d)  Except as provided in subsection (e) of this section, the state and any state agency, state political subdivision, and agent or employee of a government agency may not do any of the following:

(1)  Collect a Social Security number from an individual unless authorized by law to do so or unless the collection of the Social Security number or records containing the Social Security number is related to the performance of that agency’s duties and responsibilities as prescribed by law.

(2)  Fail, when collecting a Social Security number from an individual, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, in order that the Social Security number can be more easily redacted pursuant to a valid public records request.

(3)  Fail, when collecting a Social Security number from an individual, to provide, at the time of or prior to the actual collection of the Social Security number by that agency, that individual, upon request, with a statement of the purpose or purposes for which the Social Security number is being collected and used.

(4)  Use the Social Security number for any purpose other than the purpose stated.

(5)  Intentionally communicate or otherwise make available to the general public a person’s Social Security number.

(6)  Intentionally print or imbed an individual’s Social Security number on any card required for the individual to access government services.

(7)  Require an individual to transmit the individual’s Social Security number over the internet, unless the connection is secure or the Social Security number is encrypted.

(8)  Require an individual to use the individual’s Social Security number to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website.

(9)  Print an individual’s Social Security number on any materials that are mailed to the individual, unless a state or federal law requires that the Social Security number be on the document to be mailed.  A Social Security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope,  visible on the envelope, or without the envelope having been opened.

(e)  Subsection (d) of this section does not apply to:

(1)  Social Security numbers or other identifying information disclosed to another governmental entity or its agents, employees, or contractors if disclosure is necessary for the receiving entity to perform its duties and responsibilities.  The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers.

(2)  Social Security numbers or other identifying information disclosed pursuant to a court order, warrant, or subpoena.

(3)  Social Security numbers or other identifying information disclosed for public health purposes pursuant to and in compliance with requirements of the department of health under Title 18.

(4)  The collection, use, or release of a Social Security number for internal verification or administrative purposes.

(5)  Social Security numbers or other identifying information that have been redacted.

(6)  A state agency or state political subdivision that has used, prior to

July 1, 2006, an individual’s Social Security number in a manner inconsistent with subsection (d) of this section, which may continue using that individual’s Social Security number in that manner on or after July 1, 2006, if all of the following conditions are met:

(A)  The use of the Social Security number is continuous.  If the use is stopped for any reason, subsection (b) of this section shall apply.

(B)  The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her Social Security number in a manner prohibited by subsection (b) of this section.

(C)  A written request by an individual to stop the use of his or her Social Security number in a manner prohibited by subsection (b) of this section is implemented within 30 days of the receipt of the request.  There may not be a fee or charge for implementing the request.

(D)  The state agency or state political subdivision does not deny services to an individual because the individual makes a written request pursuant to this subdivision.

(7)  Certified copies of vital records issued by the health department and other authorized officials pursuant to part 6 of Title 18.

(8)  A recorded document in the official records of the town clerk or municipality.

(9)  A document filed in the official records of the courts.

(f)  Any person has the right to request that a town clerk or clerk of court remove, from an image or copy of an official record placed on a town’s or court’s internet website available to the general public or an internet website available to the general public to display public records by the town clerk or clerk of court, the person’s Social Security number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) code or passwords contained in that official record.  The request must be made in writing, legibly signed by the requester, and delivered by mail, facsimile, or electronic transmission, or delivered in person to the town clerk or clerk of court.  The request must specify the personal information to be redacted, information that identifies the document that contains the personal information and unique information that identifies the location within the document that contains the Social Security number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card number, or debit card number, or personal identification number (PIN) code or passwords to be redacted.  The request for redaction shall be considered a public record with access restricted to the town clerk, the clerk of court, their staff, or upon order of the court.  The town clerk or clerk of court shall have no duty to inquire beyond the written request to verify the identity of a person requesting redaction and shall have no duty to remove redaction for any reason upon subsequent request by an individual or by order of the court, if impossible to do so.  No fee will be charged for the redaction pursuant to such request.  Any person who requests a redaction without proper authority to do so shall be guilty of an infraction, punishable by a fine not to exceed $500.00 for each violation.

(g)  Any affected person may petition the court for an order directing compliance with this section.  No liability shall accrue to a town clerk or clerk of court or to his or her agent for any action related to provisions of this section or for any claims or damages that might result from a Social Security number or other identifying information on the public record or on a register of deeds’ or clerk of court’s internet website available to the general public or an internet website available to the general public used by a register of deeds or clerk of court.

(h)  A business, state agency, and state political subdivision covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this subchapter are implemented.

(i)(1)  With respect to all businesses, other than insurers licensed to do business in the state, subject to this subchapter, the attorney general, state’s attorney, and courts shall have full authority to prosecute, obtain, and impose remedies for a violation of this subchapter, or any rules or regulations made pursuant to this subchapter, as the attorney general, state’s attorney, and courts have under section 2458 of this title, including restraining acts, dissolving domestic corporations, revoking the certificate of authority granted a foreign corporation, obtaining any other temporary or permanent relief, or both, imposing a civil penalty of not more than $10,000.00 for each violation, ordering restitution of cash or goods on behalf of a consumer or a class of consumers similarly situated, and ordering reimbursement to the state of Vermont for the reasonable value of its services and its expenses in investigating and prosecuting the action.  Whenever the attorney general or state’s attorney has reason to believe any data collector or other entity subject to this subchapter, other than insurers licensed to do business in the state, to be or to have been in violation of this section, or of any rule or regulation made pursuant to this section, the attorney general and state’s attorney shall have full authority to conduct a civil investigation pursuant to section 2460 of this title.  The attorney general shall have authority to make rules and regulations, when necessary and proper to carry out the purposes of this subchapter, with respect to any business subject to this subchapter, other than insurers licensed to do business in the state.

(2)  With respect to insurers licensed to do business in the state, the department of banking, insurance, securities, and health care administration shall have full authority to prosecute, obtain and impose remedies for a violation of this subchapter, or any rules or regulations made pursuant to this subchapter, the department has under part 3 of Title 8.

Sec. 2.  Subchapter 4 is added to chapter 63 of Title 9 to read:

Subchapter 4.  Disposal of Records Containing Personal Information

§ 2480s.  DISPOSAL OF RECORDS CONTAINING PERSONAL

                INFORMATION

(a)  For the purposes of this section:

(1)  “Business” means sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.  The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this state, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution.  The term also includes an entity that destroys records.

(2)  “Dispose” means:

(A)  the discarding of documents in accordance with the business’s records management program, industry best practices, or other formal policy; and

(B)  the sale, donation, discarding or transfer of any medium, including computer equipment or computer media containing records of personal information, including back-ups to live data or other nonpaper media upon which records of personal information are stored or other equipment for nonpaper storage of information.

(3)  “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, a name, signature, Social Security number, fingerprint and other biometric information, photograph or computerized image, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, date of birth, medical information, bank account number, credit card number, debit card number, or any other financial information.

(4)(A)  “Record” means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.

(B)  “Record” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

(b)  Any business that conducts business in the state of Vermont and any business that maintains or otherwise possesses personal information about residents of the state of Vermont must take all reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.  Such reasonable measures must include:

(1)  Implementing and monitoring compliance with policies and procedures that require the physical destruction of records so that the information cannot practicably be read or reconstructed.

(2)  Implementing and monitoring compliance with policies and procedures that require the destruction of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.

(3)  After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of personal information in a manner consistent with this subchapter.  Due diligence should ordinarily include one or more of the following:

(A)  reviewing an independent audit of the disposal company’s operations or its compliance with this statute or its equivalent or both;

(B)  obtaining information about the disposal company from several references or other reliable sources and requiring that the disposal company be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; or

(C)  reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company.

(4)  For disposal companies explicitly hired to dispose of records containing personal information, implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information in accordance with subdivisions (1) and (2) of this subsection.

(c)  Business policy.  Procedures relating to the adequate destruction or proper disposal of personal records must be comprehensively described and classified as official policy in the writings of the business entity, including corporate and employee handbooks and similar corporate documents.

Sec. 3.  EFFECTIVE DATE

This act shall take effect July 1, 2007.



Published by:

The Vermont General Assembly
115 State Street
Montpelier, Vermont


www.leg.state.vt.us