Mandatory Timeframe for Breach Reporting and/or Consumer Notification

14 business days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws:
- Up to $10,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The data owner must report a breach to the Attorney General or the Department of Financial Regulation within 14 days and must provide a preliminary description of the breach.
  • Consumer Notification of a breach must be made within 45 days after discovery of a breach.
  • If consumer notices must be provided to more than 1,000 consumers, the data owner must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Vermont’s security breach notification law is enforced under its Consumer Protection Act, which permits penalties up to $10,000.
  • Heightened protection and handling requirements apply to social security numbers.
  • Additional data protection requirements exist for data brokers.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • 8 V.S.A. § 2243 Banding and Insurance – Licensed Lenders: Confidentiality
  • 9 V.S.A. §§ 2430, 2431 Definitions; Acquisition of Brokered Personal Information; Prohibitions
  • 9 V.S.A. § 2435 Security Breach Notice Act
  • 9 V.S.A. § 2440 Social Security Number Protection Act
  • 9 V.S.A. § 2445 Document Safe Destruction Act
  • 9 V.S.A. § 2446 Data brokers Annual Registration
  • 9 V.S.A. § 2447 Data broker duty to protect information; standards; technical requirements
BAck to map