Mandatory Timeframe for Breach Reporting and/or Consumer Notification
14 business days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws
Up to $10,000
Third Party Management
None to minimal
The data owner must report a breach to the Attorney General or the Department of Financial Regulation within 14 days and must provide a preliminary description of the breach.
Consumer Notification of a breach must be made within 45 days after discovery of a breach.
If consumer notices must be provided to more than 1,000 consumers, the data owner must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Vermont’s security breach notification law is enforced under its Consumer Protection Act, which permits penalties up to $10,000.
Heightened protection and handling requirements apply to social security numbers.
Additional data protection requirements may exist for data brokers.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.