Attorney General TJ Donovan released guidance for businesses to comply with the recent changes in Vermont’s Security Breach Notice Act.
On Tuesday, July 14, Donovan clarified more types of information that are considered Personally Identifiable Information (PII). Health and genetic information, login credentials, government identification cards, and passport numbers fall under the PII, which require notice to consumers is stolen.
Businesses need to provide notice to customers regarding the collection of personally identifiable information, and that these are subject to a data breach. The notice prepares consumers in a case sensitive information is leaked or exposed.
As data breaches became a common occurrence due to the pandemic, customers need to protect their information to prevent identity theft. The increase in the number of people working from home is massive, which means risks are also higher than before.
Donovan clarifies that the Security Breach Notice Act in Vermont aims to inform and educate residents on the importance of their personal information. Additionally, it will monitor businesses that are collecting and storing data without caution.
“I have always believed that the best way to enforce the law is to give people and businesses the opportunity to comply with the law by providing education and outreach,” said Donovan.
Business Obligations
One of the reasons for the enforcement of the Security Breach Notice Act is to oblige businesses to alert customers and make them aware that their personal data may be at risk. Donovan said warning customers of a possible data breach is part of the obligations of businesses.
The guidance published on Tuesday provides a comprehensive overview of the act, explaining the legal obligations, notice requirements, and meaning of some terms. Donovan’s guidance also includes an extensive series of questions and answers to common issues and concerns.
According to Donovan, the enforcement of the Security Breach Notice Act is timely, as more people will resort to online purchasing to avoid going out of their homes. Businesses need to comply with this act in order to prevent penalties issued by the Vermont authorities.
Since the beginning of 2020, the Attorney General’s Office received a lot of complaints and notices on data breaches. According to their data, there are a total of 188 data breach incidents since early January, which are posted on the state website.
Before the change in law, businesses only notify customers of a possible data breach with the collection of financial account numbers, driver’s license, financial account logins, and Social Security numbers.