Both Vermont and Connecticut recently have amended their data breach security laws, imposing more stringent requirements on entities that experience a data breach. Effective July 1, 2012, under Vermont’s revised data breach law, entities that experience a data breach affecting Vermont consumers now must notify the Attorney General within 14 business days of discovery of the breach (or within 14 business days of notifying consumers, whichever is sooner). In the notification, the entity must provide the date of the breach, date of discovery of the breach, and a preliminary description of the incident. Under current law, Vermont requires entities to provide data breach notification to affected consumers “in the most expedient time possible and without unreasonable delay….” The new law defines expediency and mandates all notification within 45 days of discovery of the breach. In the law, Vermont also modified the definition of a data breach, making clear that a breach is unauthorized acquisition, not merely access, to personally identifiable information.
Connecticut’s new law, effective October 1, 2012, also mandates Attorney General notification. Under the new law, an entity that suffers a data breach and is required to notify consumers also must notify the state attorney general prior — or no later than — notifying consumers.
Currently, approximately fifteen states have pending legislation to amend their existing data breach laws, with Connecticut and Vermont being the first two states in 2012 to sign the legislation into law, signalling the states’ continued efforts to address data breaches.