Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Vermont - Sectoral Privacy Overview
August 2024
1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION
Article 11 of the Constitution of the State of Vermont (Constitution) recognizes '[t]hat the people have a right to hold themselves, their houses, papers, and possessions, free from search or seizure; and therefore warrants, without oath or affirmation first made, affording sufficient foundation for them, and whereby by any officer or messenger may be commanded or required to search suspected places, or to seize any person or persons, his, her or their property, not particularly described, are contrary to that right, and ought not to be granted'.
Beyond what is stated in Article 11, the Constitution does not presently recognize a right to privacy. In 2012, 2015, and 2019, proposals were introduced to add an individual right to privacy, but they were rejected. Proposals regarding a right to privacy were also made in 1987 and 1991 but were rejected.
2. KEY PRIVACY LAWS
Rules/rights affected
As a general matter, Vermont privacy law is grounded in the concept of fairness and consumer protection. Thus, in the absence of specific privacy provisions, Vermont looks to §§2451 et seq. of Chapter 63 of Title 9 of the Vermont Statutes Annotated (V.S.A.) (Consumer Protection Act), which covers 'unfair methods of competition, unfair or deceptive acts or practices, and anti-competitive practices in order to protect the public and to encourage fair and honest competition.'
Various sector-specific laws and regulations in Vermont are summarized in the sections below. These laws and regulations address a variety of privacy-related topics, including disclosure of personal information and other confidential data, collection, and treatment of the same, notices that must be provided to consumers and other stakeholders, standards and safeguards that must be adopted to protect privacy, disposal of protected information, notifications required in the event of a data breach, and data brokering.
Key definitions
The key term defined throughout Vermont's various privacy-related laws and regulations is 'personally identifiable information' (PII) (or similar). Prominent examples of the definition include the following:
- Security Breach Notice Act under § 2430 of Subchapter 1 and § 2435 of Subchapter 2 of Chapter 62 of Title 9 of the V.S.A. (Security Breach Notice Act): A consumer's first name or first initial and last name in combination with one or more of the following digital data elements, when either the name or the data elements are not encrypted, redacted, or protected by another method that renders them unreadable or unusable by unauthorized persons, including:
- a social security number;
- a driver's license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
- a financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords;
- a password, personal identification number, or other access code for a financial account;
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- genetic information; and
- health records or records of a wellness program or similar program of health promotion or disease prevention, a healthcare professional's medical diagnosis or treatment of the consumer, or a health insurance policy number.
- Document Safe Destruction Act under § 2445 of Subchapter 004 of Chapter 062 of Title 9 of the V.S.A. (Document Safe Destruction Act): '[T]he following information that identifies, relates to, describes, or is capable of being associated with a particular individual: his or her signature, social security number, physical characteristics or description, passport number, driver's license or State identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information;' and
- § 2030 of Chapter 047 of Title 13 of the V.S.A. on identity theft: '[N]ame, address, birth date, social security number, motor vehicle personal identification number, telephone number, financial services account number, savings account number, checking account number, credit card number, debit card number, picture, identification document or false identification document, electronic identification number, educational record, health care record, financial record, credit record, employment record, e-mail address, computer system password, or mother's maiden name, or similar personal number, record, or information.'
Enforcement
Privacy laws in Vermont are enforced by the Office of the Vermont Attorney General (AG), the various State's Attorneys, the state agencies charged with regulating privacy issues in particular sectors (e.g., financial, labor, education), and (in some cases) private individuals. Penalties for violations include fines, imprisonment, disciplinary measures, removal orders, investigations, assurances of discontinuance, and civil actions for compensatory damages, injunctive relief, punitive damages, and attorneys' fees.
Case law
Vermont does not have a wealth of case law addressing privacy. As a general point, Vermont courts have occasionally applied the Restatement (Second) of Torts §652A, which recognizes a right of privacy (see, for example, Hodgdon v. Mt. Mansfield Co., Inc., 160 Vt. 150, 624 A.2d 1122 (1992) (right of privacy is the right to be let alone)).
A recent case of interest in Vermont is Lawson v. Halpern-Reiss, 2019 VT 38. In Lawson, the plaintiff alleged that she suffered damages after an emergency room nurse informed a police officer that the plaintiff was intoxicated, had driven herself to the hospital, and was intending to drive home from the hospital after being discharged. The defendant hospital was granted summary judgment on the grounds that nothing in the record supported an inference that the nurse's disclosure of the information was for any reason other than her good-faith concern for the plaintiff's and the public's safety. The Vermont Supreme Court (Supreme Court) affirmed, finding that no reasonable factfinder could determine that the disclosure was for any purpose other than to mitigate the threat of imminent and serious harm to the plaintiff and the public. However, the Supreme Court did formally recognize a common-law private right of action in Vermont for damages arising from a medical provider's unauthorized or unjustified disclosure to third persons of information obtained during treatment.
Other Recent Developments
In the 2023-2024 session, the Vermont Legislature introduced ten bills on privacy. Of particular note, on May 10, 2024, the Vermont Legislature passed House Bill 121 (H.121) setting forth an act relating to enhancing consumer privacy and age-appropriate design code. (For a detailed summary of H.121, see Vermont: Overview of the proposed data privacy act and related legislation) H.121 was similar to various comprehensive privacy laws passed in other states but also included a limited private right of action for certain violations of the proposed law. H.121 also included provisions from another pending bill – S.289 – addressing age-appropriate design codes for online services, products, or features reasonably likely to be accessed by children. On June 13, 2024, Vermont Governor Phil Scott vetoed H.121, noting that it "creates an unnecessary and avoidable level of risk," especially for mid-sized and small employers in Vermont. The Governor also observed that "the bill's complexity and unique expansive definitions and provisions create big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on."Subsequent efforts in the Vermont Legislature to override the veto were unsuccessful.
The remaining privacy-related bills in the 2023-2024 session were H.116, S.129, H.159, S.173, S.269, H.712, H.343, and S.49. H.116 proposed the adoption of restrictions on what employers can share about employee compensation history. S.129 proposed employee privacy protections including restricting employers from conducting criminal history checks, credit checks, and drug tests when the information is not directly related to the prospective job. H.159 proposed consumer protection controls over personal information collected from accessing the Internet through a broadband Internet access service provider. S.173 proposed to regulate the collection, sharing, and selling of consumer health data in Vermont. S.269 proposed general data protections to Vermonters including general requirements for data collection and use, record retention, modifications to requirements pertaining to data brokers, and the adoption of biometric consumer privacy protections. H.712 proposed similar age-appropriate designs to S.289. Both H.343 and S.49 proposed the adoption of the same privacy protections for genetic information and consumer health information. These bills all died in committee.
3. HEALTH DATA
Healthcare privacy
Under §§1881-1882 of Chapter 42B of Title 18 of the V.S.A., a covered entity is prohibited from disclosing protected health information unless the disclosure is permitted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The terms 'covered entity' and 'protected health information' are defined as in §160.103 of the HIPAA Privacy and Security Rules, Part 160 and 164 of Title 45 of the Code of Federal Regulations (HIPAA Rules). Additional provisions apply to the confidentiality of information in the possession of mental health professionals are set forth in 18 V.S.A. §1882, which provides that such a professional 'who knows or, based upon the standards of the mental health profession, should know that their patient poses a serious risk of danger to an identifiable victim has a duty to exercise reasonable care to protect him or her from that danger'. This duty was established in Peck v. Counseling Service of Addison County, Inc., 146 Vt. 61 (1985).
The Vermont Prescription Monitoring System
Under §§4281 et seq. of Chapter 84A of Title 18 of the V.S.A. the Vermont Prescription Monitoring System (VPMS) is created, which is 'an electronic database and reporting system for electronic monitoring of prescriptions'. Privacy matters with respect to the VPMS are addressed in 18 V.S.A. §4284. Key provisions include the following:
- Prescription data is treated as confidential and is not subject to Vermont's Public Records Act under §§315-320 of Subchapter 3 of Chapter 5 of Title 1 of the V.S.A. (Vermont Public Records Act).
- The Vermont Department of Health (DoH) must 'maintain procedures to protect patient privacy, ensure the confidentiality of patient information collected, recorded, transmitted, and maintained, and ensure that information is not disclosed to any person except as provided in this section'. The procedures include limiting access to query VPMS, limiting access to reports regarding data available in the VPMS, offering training to healthcare providers and dispensers on the proper use of information received from VPMS, and developing policies to enable use of information from the VPMS to determine if individual prescribers and dispensers are using the VPMS appropriately and to evaluate the prescription of regulated drugs by prescribers.
- The DoH may use information from the VPMS for research, trend analysis, and other public health promotion purposes, provided that data is aggregated or otherwise de-identified.
- Persons who receive data or reports from the VPMS or the DoH are prohibited from sharing that data with persons other than those enumerated in the statute.
- Knowing, unauthorized disclosure, or obtaining of VPMS data is punishable by imprisonment for not more than one year or a fine of not more than $1,000, or both, in addition to any penalties under federal law.
Code of Vermont Rules
Additional health-related privacy requirements in Vermont are contained in various sector-specific regulations. These include the following:
- Code of Vermont Rules (CVR) 13-000-002, which applies to employees, grantees, and contractors of the Vermont Agency of Human Services and which governs:
- the collection, disclosure, and sharing of consumers' individually identifiable information;
- notification to consumers regarding individually identifiable information practices;
- procedures for obtaining permission/authorization to share/disclose individually identifiable information;
- consumer access to records; and
- procedures required to protect confidentiality;
- Regulation IH-2001-01, under CVR 21-020-53, governs insurers licensed by the State of Vermont regarding the treatment of 'non-public personal health information.' It requires licensees to provide notice (both initially and annually) to consumers of their privacy policies and practices, and sets forth the conditions under which non-public personal health information may be disclosed;
- Regulation IH-2002-03, under CVR 21-020-055, governs insurers licensed by the State of Vermont regarding the establishment of standards for developing and implementing administrative, technical, and physical safeguards to:
- protect the security, confidentiality, and integrity of customer information;
- protect against anticipated threats or hazards to the security or integrity of the information; and
- protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to customers, requiring licensees to develop and implement comprehensive written information security programs.
- Regulation B-2018-01, under CVR 21-010-016, governs financial institutions regarding the treatment of 'non-public personal health information,' requires financial institutions to provide notice (both initially and annually) to consumers of their privacy policies and practices, and sets forth the conditions under which non-public personal health information may be disclosed;
- CVR 13-140-021 §11.3 (immunization);
- CVR 13-110-006 §VI (licensing regulations for homes for the terminally ill);
- CVR 13-110-009 §VI (residential care home licensing);
- CVR 13-110-012 §VI (licensing and operating regulations for therapeutic community residences);
- CVR 13-160-003 §VIII (regulations for commissioner-designated shelter programs); and
- CVR 13-162-007 §30, subsections 315-319 (responsibilities of foster parents).
4. FINANCIAL DATA
The Financial Privacy Act
In accordance with §§10201-10206 of Subchapter 2 of Chapter 200 of Title 8 of the V.S.A. (Financial Privacy Act), and specifically at §10203 of the Financial Privacy Act, financial institutions and their officers, employees, agents, and directors are prohibited from disclosing any financial information relating to a customer, except as authorized under the statute, and are required to adopt reasonable procedures to assure compliance. 'Financial information' is defined as an original or copy of, or information derived from:
- a document that grants signature authority over a deposit or share account;
- a statement, ledger card, or other record of a deposit or share account that shows transactions in or with respect to that deposit or account;
- a check, clear draft, or money order that is drawn on a financial institution or issued and payable by or through a financial institution;
- any item, other than an institutional or periodic charge, that is made under an agreement between a financial institution and another person’s deposit or share account;
- any information that relates to a loan account or an application for a loan; or
- evidence of a transaction conducted by electronic or telephonic means.
In addition, §10204 of the Financial Privacy Act enumerates 26 exceptions to the rule prohibiting disclosure, including customer opt in. Moreover, §10205 of the Financial Privacy Act sets forth the penalties for violation of the statute. Specifically, the Vermont Department of Financial Regulation's (DFR) Commissioner (Commissioner) can take any of the enforcement actions provided under §§11601-11603 of Title 8 of the V.S.A, which includes administrative penalties, removal orders, other injunctive orders, and imposition of corrective action. The Commissioner may also impose a penalty of up to $15,000 for each knowing violation of the regulation or order issued under it, for knowingly engaging in materially unsafe or unsound practices in connection with a financial institution, or for knowingly committing an act, omission, or practice that constitutes a breach of fiduciary duty to the financial institution. Violations of orders by the Commissioner may result in criminal penalties, including fines and imprisonment.
The CVR
Additional financial-related privacy requirements in Vermont are contained in various sector-specific regulations. These include Regulation IH-2001-01, Regulation IH-2002-03, and Regulation B-2018-01.
Regulation B-2018-01, which implements the Vermont Financial Privacy Act, governs 'financial institutions' regarding the treatment of non-public personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from [financial institutions]' and further requires financial institutions to provide notice (both initially and annually) to consumers of their privacy policies and practices, and sets forth the conditions under which non-public personal information, including 'non-public personal financial information', may be disclosed.
Finally, the Vermont Securities Regulations (V.S.R.), under CVR 21-030-001, (S-2016-01), require a Vermont registered investment advisor to 'establish and maintain written policies and procedures reasonably designed to ensure cybersecurity,' to 'include cybersecurity as part of its risk assessment,' to 'maintain evidence of adequate insurance for the risk of cyber security breach,' and to 'provide identity restoration services at no cost to consumers in the occurrence of breach in the cyber security of consumer non-public personal information' (V.S.R. §8-4).
5. EMPLOYMENT DATA
Fair employment practices
The provisions under §§495 et seq. of Subchapter 006 of Chapter 005 of Title 21 of the V.S.A. identify various employment practices deemed unfair in Vermont. Several of these practices have privacy implications, including the following:
- Under 21 V.S.A. §495i, an employer is prohibited from inquiring about an employee's or applicant's credit report or credit history, unless an exception applies. Even if an exception does apply, the employer may not use the employee's/applicant's credit report or credit history as the sole factor regarding employment or compensation decisions. An employer that seeks to use an employee's/applicant's credit report or credit history must obtain written consent to obtain the credit report or credit history and must ensure that the information in it is kept confidential. If the employee is terminated or the applicant is not hired, the employer must provide the credit report or credit history to the employee/applicant or must destroy it in a secure manner to protect confidentiality.
- Under 21 V.S.A. §495j, an employer may not request criminal history record information as part of the initial application process unless certain specified conditions are met. This restriction on the application process does not apply to interviews or once the prospective employee has been deemed otherwise qualified for the position. An employer who violates the restriction is subject to a civil penalty of up to $100 per violation.
- Under 21 V.S.A. §495l, an employer may not require, request, or coerce an employee or applicant to:
- disclose a username, password, etc., or turn over an unlocked personal electronic device, so that the employer may access the employee's/applicant's social media account;
- access a social media account in the employer's presence;
- divulge or present any content from the employee's/applicant's social media account; or
- change the account or privacy settings of the social media account to increase third-party access to its contents.
- In addition, under 21 V.S.A §495I, an employer also may not require or coerce an employee or applicant to add the employer (or anyone else) as a contact associated with a social media account. The statute does contain a carve-out for requesting 'specifically identified content', defined as 'data, information, or other content stored in a social media account that is identified with sufficient particularity to distinguish the individual piece of content being sought from any other data, information, or content stored in the account', in certain enumerated circumstances.
- Under 21 V.S.A. §495m, an employer may not request or seek information on a prospective employee's current or past compensation from either the prospective employee or a current or former employer. However, if the prospective employee voluntarily discloses this information, the employer may, after offering employment with compensation to the prospective employee, seek to confirm or request that the prospective employee confirm that information.
In addition to any penalties or remedies set forth in particular sections of the subchapter, 21 V.S.A. §495b provides as follows:
- the AG or a State's Attorney may restrain prohibited acts, seek civil penalties, obtain assurances of discontinuance, and conduct civil investigations;
- the Superior Courts are authorized to impose the same civil penalties and investigation costs and to order other relief to the State of Vermont or an aggrieved employee for violations of this subchapter as they are authorized to impose under the Consumer Protection Act;
- the Superior Courts also may order restitution of wages or other benefits on behalf of an employee and may order reinstatement and other appropriate relief on behalf of an employee; and
- an aggrieved person may bring an action in Superior Court seeking compensatory and punitive damages or equitable relief, including restraint of prohibited acts, restitution of wages or other benefits, reinstatement, costs, reasonable attorneys' fees, and other appropriate relief.
Drug testing
Under §516 of Subchapter 011 of Chapter 005 of Title 21 of the V.S.A., several restrictions are placed on healthcare information about an individual to be drug tested:
- information must be collected only by a medical review officer;
- information must be treated as confidential;
- information may not be released to anyone except the individual tested, and may not be obtained by court order or process, except as provided in the statute;
- a medical review officer may not reveal the identity of an individual being drug tested to any person, including the laboratory;
- information regarding drug test results must be kept confidential by employers, medical review officers, laboratories, and their agents;
- information regarding drug test results may be released only pursuant to a written consent form signed voluntarily by the person tested, unless compelled by a court in connection with an action brought under the statute; and
- information regarding drug test results that is released in violation of the statute is inadmissible as evidence in any judicial or quasi-judicial proceeding, except in a court in connection with an action brought under the statute.
Enforcement of the above provisions is governed by 21 V.S.A. §519, which permits an employee or applicant aggrieved by a violation to bring a civil action for injunctive relief, damages, court costs, and attorneys' fees. In addition, a violator is subject to a civil penalty of between $500 and $2,000, or a fine of between $500 and $1,000, as well as imprisonment for up to six months.
Records and other documents
Under §1691a of Chapter 063 of Title 12 of the V.S.A., '[i]t is the policy of this State that an employee's personnel records should not be discovered by a party in a civil action without first giving the employee notice and an opportunity to object to the discovery of the records'. The statute contains requirements for the contents of the notice and affords an employee 20 days to object and respond to the request, as well as the right to a court hearing.
6. ONLINE PRIVACY
Vermont does presently specific laws or regulations addressing online privacy, children's privacy, or behavioural advertising. These topics are subject to regulation more generally under the Consumer Protection Act which covers 'unfair methods of competition, unfair or deceptive acts or practices, and anti-competitive practices in order to protect the public and to encourage fair and honest competition.
7. UNSOLICITED COMMERCIAL COMMUNICATIONS
Prohibited telephone solicitations are addressed in the Consumer Protection Act, specifically at §§2464a-2464e of the Consumer Protection Act. The statute defines a 'telephone solicitation' as the 'solicitation by telephone of a customer for the purpose of encouraging the customer to contribute to an organization that is not a tax-exempt organization or to purchase, lease, or otherwise agree to pay consideration for money, goods, or services,' subject to some exceptions (e.g., a call made in response to a request or inquiry by the called customer). Several requirements apply under the statute:
- telemarketers may not make a telephone solicitation to a Vermont number without having first registered with the Vermont Secretary of State;
- calls may not be made to a Vermont number in violation of the Federal Trade Commission's (FTC), Telemarketing Sales Rule 1995, or the Federal Communication Commission's (FCC) Telephone Consumer Protection Act Regulations 1992; and
- a person who places a telephone call to make a telephone solicitation, or to induce a charitable contribution, donation, or gift of money or other thing of value, must transmit various information to the caller identification service used by the call recipient of the call, including the caller's telephone number and the caller's name (if made available by the caller's carrier), or the name and number of the person on whose behalf the call is being made.
Violations of the Consumer Protection Act may result in the imposition of civil penalties. In addition, a person who receives a telephone call in violation of the statute may bring a civil action for damages (actual damages or $500 for a first violation, or $1,000 for each subsequent violation, whichever is greater), injunctive relief, punitive damages (in the case of a willful violation), and reasonable costs and attorneys' fees. Telemarketers who violate the registration requirement are subject to imprisonment for up to 18 months, a fine of up to $10,000, or both. Finally, effective July 1, 2023, the § 2464e of the Consumer Protection Act will also prohibit robocalls. Specifically, a person shall not initiate an automatically dialed or pre-recorded phone calls in violation of the federal Telephone Consumer Protection Act, 47 USC §227; the federal Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§6101–6108; and the regulations adopted pursuant to those Acts. A person receiving a prohibited robocall may bring a court action for damages or a civil penalty (whichever is greater), injunctive relief, punitive damages in the case of a willful violation, and reasonable costs and attorney’s fees. In this context, civil penalties range from $500 for a first violation to $1,000 for each subsequent violation. In addition, persons who initiate robocalls knowingly and willfully are subject to imprisonment of up to 90 days, a fine of up to $1,000 per violation, or both.
8. PRIVACY POLICIES
Vermont does not have any generally applicable laws or regulations mandating the use of privacy policies or governing their contents. However, various sectoral laws and regulations address this issue, including the following:
- Regulation B-2018-01, which governs 'financial institutions,' sets forth highly detailed requirements for privacy policies and the treatment of 'non-public personal information' (which includes both 'non-public personal financial information' and 'non-public personal health information'). As a general rule, financial institutions are required to provide a clear and conspicuous initial notice that accurately reflects their privacy policies and practices to both 'customers' (no later than when the financial institution establishes a customer relationship) and 'consumers' (before the financial institution discloses any non-public personal information about the consumer to any non-affiliated third party, which disclosure requires an opt in from the consumer), as well as clear and conspicuous notice annually to customers that accurately reflects their privacy policies and practices. Financial institutions must also provide revised notices under certain circumstances. Appendix A contains sample clauses financial institutions can use in their privacy policies. Notices must be 'reasonably understandable and designed to call attention to the nature and significance of the information in the notice,' and must, at a minimum, address the following:
- the categories of non-public personal information that the financial institution collects;
- the categories of non-public personal information that the financial institution discloses;
- the categories of affiliates and non-affiliated third parties to whom the financial institution discloses non-public personal information;
- the categories of non-public personal information about the financial institution's former customers that the financial institution discloses and the categories of affiliates and non-affiliated third parties to whom the financial institution discloses non-public personal information about the financial institution's former customers;
- under certain circumstances, a separate description of the categories of information that the financial institution discloses and the categories of non-affiliated third parties with whom the financial institution has contracted;
- an explanation of the consumer's right to opt in prior to the disclosure of non-public personal financial information to non-affiliated third parties, including the methods by which the consumer may exercise that right at any time;
- any disclosures that the financial institution makes under the federal Fair Credit Reporting Act of 1970 ('FCRA'), the federal implementing regulations, and the Vermont Fair Credit Reporting Act, under 9 V.S.A. §§2480a-2480n of the Consumer Protection Act;
- the financial institution's policies and practices with respect to protecting the confidentiality and security of non-public personal information; and
- any disclosure that the financial institution makes under Section 7.B of Regulation IH-2001-01.
- Regulation IH-2001-01, which governs insurers licensed by the State of Vermont, sets forth highly detailed requirements for privacy notices and the treatment of 'non-public personal information' (which includes both 'non-public personal financial information' and 'non-public personal health information'). The same requirements mentioned above with regard to privacy notices of financial institutions apply for insurers licensed by the State of Vermont.
- V.S.R. (S-2016-01)requires an applicant for initial registration as an investment adviser to file a privacy policy with the Commissioner (V.S.R. §7-1(b)(1)(B)(iii)). It also requires an investment adviser to provide clients with a copy of its privacy policy on an annual basis (V.S.R. §7-3(d)(13)(B)).
- Vermont's student data privacy law, 9 V.S.A. §2443b(3) of the Bill for an Act Relating to Data Privacy and Consumer Protection (Act), requires operators of websites, online services, online applications, or mobile applications who have actual knowledge that the site, service, or application is used primarily for, and was designed and marketed for 'PreK–12 school purposes' (see section 10 below) to publicly disclose and provide schools with material information about the operators' collection, use, and disclosure of covered information.
9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY
Document Safe Destruction Act
The Document Safe Destruction Act (9 V.S.A. §2445) requires businesses to take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information that is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable.
The statute defines 'personal information' as information that identifies, relates to, describes, or is capable of being associated with a particular individual, including signature, social security number, physical characteristics or description, passport number, driver's license, or State identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
The AG, State's Attorneys, and the DFR have the authority to investigate potential violations of the statute, to enforce, prosecute, obtain, and impose remedies for a violation of the statute or any related rules, and to adopt rules.
Security Breach Notice Act
The Security Breach Notice Act (9 V.S.A. §2435) requires various notices to be given in the event of a 'security breach,' which is defined as either an unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's PII or login credentials. A breach does not include a good faith but unauthorized acquisition of PII or login credentials by an employee or agent of a data collector that is for a legitimate purpose of the data collector, provided that the PII or login credentials are not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure. For a definition of PII under the statute, see section 1 above, however, excluded from the definition of PII is publicly available information that is lawfully made available to the general public from federal, state, or local government records.
The Security Breach Notice Act defines 'login credentials' as 'a consumer's username or email address, in combination with a password or an answer to a security question, that together permit access to an online account.'
The Security Breach Notice Act contains the following notice requirements for breaches involving PII:
- Preliminary notice must be given to the AG or the DFR within 14 business days after discovery of a breach or at the same time notice of the breach is provided to consumers, whichever is sooner. The notice must include the date of the breach, the date of discovery of the breach, a description of the breach (including the number of Vermont consumers affected if known), and a copy of the notice provided to consumers if already made.
- Notice to affected consumers must be given as quickly as possible and without unreasonable delay, but no later than 45 days after discovery of a breach. The notice must be clear and conspicuous, and must include the following, if known:
- a description of the breach itself (in general terms), including the approximate date of the breach and the type of PII that was subject to the breach;
- a description of the general actions taken to protect the PII from further breaches;
- a telephone number (toll-free if available) consumers may call for further information and assistance; and
- advice directing consumers to remain vigilant by reviewing account statements and monitoring free credit reports.
The notice may be made by written, electronic, or telephonic means, or in some instances by substitute means (website notice or statewide and regional media notice).
The Security Breach Notice Act contains the following notice requirements for breaches that are limited to login credentials:
- a data collector is only required to provide notice of the security breach to the AG or DFR, as applicable, if the login credentials were acquired directly from the data collector or its agent;
- if the login credentials are for an online account other than an email account, the data collector must provide notice to the consumer electronically or through other authorized means (written, telephonic, or substitute) and must advise the consumer to take steps necessary to protect the online account, including to change their login credentials for the account and for any other account for which the consumer uses the same login credentials; and
- if the breach is limited to login credentials for an email account, the data collector may not provide notice of the breach through that email account and must provide notice through written, electronic, or telephonic means, or in some instances by substitute means, or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an Internet protocol address or online location from which the data collector knows the consumer customarily accesses the account.
In all cases, the Security Breach Notice Act also specifies that the required notice may be delayed if requested to do so by a law enforcement agency. If the request is not made in writing, it must be documented in writing, including the name of the law enforcement agency and officer. After the agency reports that there is no longer a need to delay the required notification, such notification must be made without unreasonable delay.
Under the Act notice of a breach is not required if the data collector establishes that misuse of personal information, PII, or login credentials is not reasonably possible and the data collector provides notice of the determination of this fact and a detailed explanation for the determination to the AG or to the DFR, as applicable. If the data collector subsequently obtains facts indicating that misuse of the personal information personally identifiable information or login credentials has occurred or is occurring, the data collector must provide notice of the breach.
Moreover, the Security Breach Notice Act outlines that if notice must be provided to more than 1,000 consumers for a breach, notice must also be promptly given to all national consumer credit reporting agencies of the timing, distribution, and content of the consumer notice.
Additionally, the Security Breach Notice Act specifies that a data collector that is subject to the privacy, security, and breach notification rules adopted pursuant to the HIPAA Rules is deemed to be in compliance with the Security Breach Notice Act if the data collector experiences a security breach that is limited to PII specified in §2430(10)(A)(vii) of the Act and the data collector provides notice to affected consumers pursuant to the requirements of the breach notification rule in 45 C.F.R. Part 164.
The Security Breach Notice Act is enforced under the same authority as the Consumer Protection Act. Enforcement actions under the Act may seek injunctive relief and civil penalties of up to $10,000 per violation per day. In addition to enforcement actions, a party experiencing a data breach is potentially subject to private lawsuits arising from compromised personal information.
The AG has issued the Security Breach Notification Guidance.
Social Security Number Protection Act
The Social Security Number Protection Act, codified §2440 of Subchapter 003 of Chapter 062 of Title 9 of the V.S.A., generally prohibits a public or private entity from communicating, printing, embedding, selling, leasing, lending, trading, renting, disclosing, or requiring use or transmission of social security numbers except as provided for in the statute.
The AG, State's Attorneys, and the DFR have the authority to investigate potential violations of the statute, to enforce, prosecute, obtain, and impose remedies for a violation of the statute or any related rules, and to adopt rules. In certain circumstances, information provided to the AG may be designated as confidential and exempt from the Vermont Public Records Act.
The AG has issued Guidance Concerning the Protection of Social Security Numbers.
Data Broker Act
The Data Broker Act under §§2430, 2446, 2447 of Title 9 of the V.S.A. (Data Broker Act), requires data brokers to annually register with the Vermont Secretary of State and provide certain requested information on their practices. The statute prohibits the acquisition and use of brokered personal information through fraudulent means or for the purposes of stalking or harassment, committing fraud (e.g. identity theft, financial fraud, or email fraud); or engaging in unlawful discrimination. The Data Broker Act also requires data brokers to develop, implement, and maintain a written, comprehensive information security program containing administrative, technical, and physical safeguards.
The Data Broker Act defines 'data broker' as 'a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.'
The Data Broker Act defines 'brokered personal information' to include 'one or more of the following computerized data elements about a consumer if categorized or organized for dissemination to third parties:
- name;
- address;
- date of birth;
- place of birth;
- mother's maiden name;
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- name or address of a member of the consumer's immediate family or household;
- social security number or other government-issued identification number; or
- other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.'
The AG has issued Guidance on Data Brokers.
10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS
Vermont Public Records Act
The Vermont Public Records Act governs individuals' right to inspect or copy public documents held by state and local government bodies in Vermont. The policy underlying the Act is stated as follows: 'It is the policy of this subchapter to provide for free and open examination of records consistent with Chapter I, Article 6 of the Vermont Constitution. Officers of government are trustees and servants of the people, and it is in the public interest to enable any person to review and criticize their decisions even though such examination may cause inconvenience or embarrassment. All people, however, have a right to privacy in their personal and economic pursuits, which ought to be protected unless specific information is needed to review the action of a governmental officer. Consistent with these principles, the General Assembly hereby declares that certain public records shall be made available to any person as hereinafter provided. To that end, the provisions of this subchapter shall be liberally construed to implement this policy, and the burden of proof shall be on the public agency to sustain its action.'
Privacy is implicated in several places in the Vermont Public Records Act. First, as shown above in the statement of policy, a person's right to privacy in their personal and economic pursuits' must be considered in determining whether access to particular records is appropriate. Second, the exemptions from the definition of 'public record' include the following, among many others:
- records dealing with the detection and investigation of crime, but only to the extent that the production of such records could reasonably be expected to constitute an unwarranted invasion of personal privacy;
- a tax return and related documents, correspondence, and certain types of substantiating forms that include the same type of information as in the tax return itself filed with or maintained by the Vermont Department of Taxes or submitted by a person to any public agency in connection with agency business;
- personal documents relating to an individual, including information in any files maintained to hire, evaluate, promote, or discipline any employee of a public agency, information in any files relating to personal finances, medical or psychological facts concerning any individual or corporation; provided, however, that all information in personnel files of an individual employee of any public agency shall be made available to that individual employee or their designated representative;
- lists of names compiled or obtained by a public agency when disclosure would violate a person's right to privacy;
- student records, including records of a home study student; provided, however, that such records shall be made available upon request under the provisions of the Federal Family Educational Rights and Privacy Act of 1974 (FERPA);
- records concerning the formulation of policy where such would constitute a clearly unwarranted invasion of personal privacy if disclosed;
- records relating to the identity of library patrons or the identity of library patrons in regard to library patron registration records and patron transaction records in accordance with 22 V.S.A. Chapter 4;
- records of a registered voter's month and day of birth, driver's license or non-driver identification number, telephone number, email address, and the last four digits of their social security number contained in a voter registration application or the statewide voter checklist established under 17 V.S.A. §2154 or the failure to register to vote under 17 V.S.A. §2145a; and
- records held by the Agency of Human Services or the Department of Financial Regulation, which include prescription information containing patient-identifiable data, that could be used to identify a patient.
Any person who has been aggrieved by the denial of a public records request under the Vermont Public Records Act may file an action in the Vermont Superior Court 'to enjoin the public agency from withholding agency records and to order the production of any agency records improperly withheld from the complainant.' If the aggrieved party substantially prevails in the action, an award of reasonable attorneys' fees and costs may be available. The court may award reasonable attorneys' fees and costs to the state if the complaint filed by the aggrieved party violates Rule 11 of the Vermont Rules of Civil Procedure (e.g., due to frivolity). In addition, if the court determines that agency personnel have acted arbitrarily or capriciously in withholding records, disciplinary action may be warranted against the officer or employee who was primarily responsible for the withholding.
Finally, the Vermont Public Records Act provides that any person who wilfully destroys, gives away, sells, discards, or damages a public record, without having the authority to do so, will be fined between $50 and $1,000 for each offense.
Vermont's Fair Credit Reporting Act
The Vermont Fair Credit Reporting Act (9 V.S.A. §§2480a-2480n) requires credit reporting agencies, upon request and proper identification of any consumer, to clearly and accurately disclose to the consumer all information available to users at the time of the request pertaining to the consumer, including:
- any credit score or predictor relating to the consumer, in a form and manner that complies with such comments or guidelines as may be issued by the FTC;
- the names of users requesting information pertaining to the consumer during the prior 12-month period and the date of each request; and
- a clear and concise explanation of the information.
The Vermont Fair Credit Reporting Act further provides that, unless a statutory exemption applies, a person may obtain the credit report of a consumer only if the report is obtained in response to a court order, or if the consumer has provided consent and the report is used for the purpose consented to by the consumer. Further, in the event a consumer places a security freeze on their credit report, a credit reporting agency is prohibited, unless a statutory exemption applies, from releasing the report or any information from it without the consumer's express authorization.
The AG has issued Consumer Protection Rule 112, which requires that when a consumer has made an application or request for credit, insurance, employment, housing, or governmental benefits, the consumer consent required for a third party to obtain the consumer's credit report must be in the same manner as the consumer's application or request.
Violations of the Vermont Fair Credit Reporting Act and associated rules are deemed to be violations of the Consumer Protection Act. The AG has the authority to make rules, conduct civil investigations, and bring civil actions regarding alleged violations. In addition, a consumer aggrieved by a violation may bring an action in Superior Court for damages, injunctive relief, punitive damages (in the case of a willful violation), and reasonable costs and attorneys' fees.
Where a violation is committed by a credit reporting agency, or where any other person commits a wilful violation, the court may award the consumer's actual damages or $100, whichever is greater.
Student data privacy
9 V.S.A. §§2443-2443f regulate operators of websites, online services, online applications, or mobile applications who have actual knowledge that the site, service, or application is used primarily for, and was designed and marketed for, 'PreK–12 school purposes.' 'PreK–12 school purposes' are defined as:
- purposes that are directed by or that customarily take place at the direction of a school, teacher, or school district;
- aid in the administration of school activities, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or
- are otherwise for the use and benefit of the school.
The Act primarily protects a student's 'covered information,' which is defined as 'personal information or material, or information that is linked to personal information or material, in any media or format', that 'personally identifies a student, including:
- information in the student's education record or electronic mail;
- first and last name;
- home address;
- telephone number;
- electronic mail address or other information that allows physical or online contact;
- discipline records;
- test results;
- special education data;
- juvenile dependency records;
- grades;
- evaluations;
- criminal records;
- medical records;
- health records;
- social security number;
- biometric information;
- disability status;
- socioeconomic information;
- food purchases;
- political affiliations;
- religious information;
- text messages;
- documents;
- student identifiers;
- search activity;
- photos;
- voice recordings; or
- geolocation information.'
To qualify as 'covered information,' the information must also meet the following criteria:
- it is not publicly available, or it is made publicly available pursuant to the federal FERPA; and
- it is:
- created by or provided to an operator by a student or the student's parent or legal guardian in the course of the student's, parent's, or legal guardian's use of the operator's site, service, or application for PreK-12 school purposes; or
- created by or provided to an operator by an employee or agent of a school or school district for PreK-12 school purposes; or
- gathered by an operator through the operation of its site, service, or application for PreK-12 school purposes.
The Act places the following duties on an operator:
- implement and maintain reasonable security procedures/practices appropriate to the nature of the covered information and designed to protect such information;
- within a reasonable time and to the extent practicable, delete a student's covered information if the school or school district requests deletion of such information under the control of the school or school district, unless the student or their parent or legal guardian consents to the maintenance of such information; and
- publicly disclose and furnish material information to the school about the operator's collection, use, and disclosure of covered information, including publishing a term of service agreement, privacy policy, or similar document.
The Act prohibits an operator from knowingly doing any of the following:
- engaging in targeted advertising if the targeting is based on any information, including covered information and persistent unique identifiers, the operator acquired from use of that operator's site, service, or application;
- using information, including a persistent unique identifier, created or gathered by the operator's site, service, or application to amass a profile about a student, except in furtherance of PreK-12 school purposes;
- selling, bartering, or renting a student's information, including covered information (unless if via purchase, merger, or other type of acquisition of an operator by another entity); and
- except as authorized under the Act (see below), disclosing covered information unless the disclosure is made for one or more of the purposes enumerated in the Act and is proportionate to the identifiable information necessary to accomplish the purpose.
The Act permits an operator to use or disclose covered information of a student under the following circumstances:
- if other laws require disclosure and the operator complies with the requirements of those laws in protecting and disclosing the information;
- for legitimate research purposes required by other laws, subject to any restrictions under those laws and under the direction of a school, school district, or the State Board of Education if the covered information is not used for advertising or to amass a profile on the student for purposes other than for PreK-12 school purposes; and
- disclosure to a state or local educational agency for PreK-12 school purposes as permitted by other laws.
The Act does not prohibit or limit an operator from doing any of the following:
- using covered information to improve educational products if such information is not associated with an identified student within the operator's site, service, or application or other sites, services, or applications owned by the operator;
- using covered information not associated with an identified student to demonstrate the effectiveness of the operator's products or services;
- sharing covered information not associated with an identified student to develop and improve educational sites, services, or applications;
- using recommendation engines to recommend to a student additional content or services relating to educational, other learning, or employment opportunity purposes within an online site, service, or application if the recommendation is not determined by payment or other consideration from a third party;
- responding to a student's request for information or feedback without the information or response being determined by payment or other consideration from a third party;
- using information for purposes of maintaining, developing, supporting, improving, or diagnosing the operator's site, service, or application;
- using student data, including covered information, for adaptive learning or customized student learning purposes; or
- marketing educational products directly to parents if the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under the Act.
The Act also does not:
- limit the authority of law enforcement to obtain content or information from an operator as authorized by law or under a court order;
- apply to internet websites, online services, online applications, or mobile applications targeted at general audiences, even if the login credentials created for an operator's site, service, or application are also used to access those general audience sites, services, or applications;
- limit service providers from providing internet access to schools or students and their families;
- require providers of electronic stores, gateways, marketplaces, or other means of purchasing or downloading software or applications to review or enforce compliance by users of those applications or software;
- require providers of an interactive computer service to review or enforce compliance by third-party content providers;
- prohibit students from downloading, exporting, transferring, saving, or maintaining their own student-created data or documents; or
- supersede FERPA or rules adopted pursuant to FERPA.
Finally, violations of the Act constitute unfair and deceptive acts in commerce in violation of 9 V.S.A. §2453.
Identity theft
13 V.S.A. §2030 makes it illegal for a person to 'obtain, produce, possess, use, sell, give, or transfer personal identifying information belonging or pertaining to another person with the intent to use the information to commit a misdemeanor or a felony,' or 'knowingly or recklessly obtain, produce, possess, use, sell, give, or transfer personal identifying information belonging or pertaining to another person without the consent of the other person and knowingly or recklessly facilitating the use of the information by a third person to commit a misdemeanor or a felony'. For a definition of PII under 13 V.S.A. §2030, see section 2 above.
A violation of 13 V.S.A. §2030 is punishable by imprisonment for not more than three years or a fine of not more than $5,000, or both. In addition, subsequent violations involving a separate scheme are punishable by imprisonment for not more than ten years or a fine of not more than $10,000, or both.
Vermont Electronic Communication Privacy Act
The Vermont Electronic Communication Privacy Act, under §§8101 et seq. of Chapter 232 of Title 13 of the V.S.A., addresses the conditions under which law enforcement may access 'electronic communications' and 'protected user information.' An 'electronic communication' is defined in the statute as 'the transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, a radio, electromagnetic, photoelectric, or photo-optical system.' PII is defined as 'electronic communication content, including the subject line of e-mails, cellular tower-based location data, GPS or GPS-derived location data, the contents of files entrusted by a user to an electronic communication service pursuant to a contractual relationship for the storage of the files whether or not a fee is charged, data memorializing the content of information accessed or viewed by a user, and any other data for which a reasonable expectation of privacy exists'.
A defendant in a trial, hearing, or other proceeding may move to suppress any electronic information obtained or retained in violation of the statute.
The CVR
Additional privacy requirements in Vermont are contained in various sector-specific regulations. These include the following:
- CVR 31-010-003: this regulation addresses privacy matters with respect to enhanced 9-1-1 service for Vermont, including 'automatic location identification,' which is 'the system capability to identify automatically the geographical location of the telephone being used by the caller and to provide a display of that location information at any public safety answering point'. The regulation requires local exchange carriers, alternative local exchange carriers, and telecommunications companies to notify consumers of their privacy rights and develop procedures to enable consumers to exercise their privacy option.
- Standards for Billing, Credit and Collections, and Customer Information for Telecommunications Carriers, under CVR 30-000-7600 (Standards): The Standards protect consumers from unfair and deceptive practices and sets minimum standards for consumer protection. Specifically, §7.605(A)(10) of the Standards provides that Vermont telecommunications consumers have '[t]he right to privacy by controlling the release of information about oneself and one's calling patterns and by controlling unreasonable intrusions upon privacy. In addition, §7.608 of the Standards requires telecommunications carriers to take reasonable steps to protect customer privacy, prepare privacy analysis statements for service modifications or technology changes, afford customers the opportunity to have their telephone numbers unlisted/unpublished, allow customers to prevent the display of the calling party's name and telephone number on a caller identification display device, and notify customers at least annually regarding information that is released to call recipients when the customer places a call to a toll-free or pay-per-call telephone number.
- Sales and Use Tax Regulations, under CVR 10-060-033: §1.9707-3 of the Sales and Use Tax Regulations requires that certified service providers working on behalf of sellers must perform tax calculations, remittances, and reporting functions without retaining consumers' PII, defined as 'information that identifies a person.' The Sales and Use Tax Regulations also provide that the Commissioner of the Vermont Department of Taxes may not retain PII that has been collected but is no longer required. Also, the Commissioner of Taxes must provide consumers with reasonable access to their own PII in the State's possession, as well as the right to correct any inaccurately recorded information. Finally, in certain circumstances, the Commissioner of Taxes must notify consumers if a request to discover their PII is made.
- Special Education Rules, CVR 22-000-006: The Special Education Rules implement the federal Education of Individuals with Disabilities Act of 2000 and ensure that Vermont students with educational disabilities have access to a free and appropriate public education. In particular, §2365.2 of the Special Education Rules addresses privacy matters with respect to students' 'education records,' which are defined under FERPA, and PII defined as '(1) the name of a child, the child's parent, or another family member; (2) the address of the child or the child's parents; (3) a personal identifier such as the child's social security number or student number; or (4) a list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty or make the child’s identity easily traceable.' Moreover, §2365.2 of the Special Education Rules contains requirements concerning notices to parents, rights to access records, records of access to education records, amendments of records, hearing procedures, consent for disclosures of PII and education records, safeguards to protect confidentiality, destruction of information, and children's rights.