Vermont Enacts Security Breach Notification Law

Vermont has enacted a Security Breach Notification law. (Senate Bill 284).

There are now 34 states with such laws.

The law provides that notification does not have to be made if misuse of the exposed personal information is not reasonably possible. The following is from the text of the bill as enacted.

"Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title."