Vermont Data Brokers
9 V.S.A. § 2446, et seq.
CITATION:
The Vermont Statutes Online
Title 9: Commerce and Trade
Chapter 62: Protection Of Personal Information
Subchapter 5: Data Brokers
§ 2446. Annual registration
§ 2447. Data broker duty to protect information; standards; technical requirements
Subchapter 5: Data Brokers
§ 2446. Annual registration
(a) Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall:
(1) register with the Secretary of State;
(2) pay a registration fee of $100.00; and
(3) provide the following information:
(A) the name and primary physical, e-mail, and Internet addresses of the data broker;
(B) if the data broker permits a consumer to opt out of the data broker's collection of brokered personal information, opt out of its databases, or opt out of certain sales of data:
(i) the method for requesting an opt-out;
(ii) if the opt-out applies to only certain activities or sales, which ones; and
(iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf;
(C) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;
(D) a statement whether the data broker implements a purchaser credentialing process;
(E) the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches;
(F) where the data broker has actual knowledge that it possesses the brokered personal information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the brokered personal information of minors; and
(G) any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(b) A data broker that fails to register pursuant to subsection (a) of this section is liable to the State for:
(1) a civil penalty of $50.00 for each day, not to exceed a total of $10,000.00 for each year, it fails to register pursuant to this section;
(2) an amount equal to the fees due under this section during the period it failed to register pursuant to this section; and
(3) other penalties imposed by law.
(c) The Attorney General may maintain an action in the Civil Division of the Superior Court to collect the penalties imposed in this section and to seek appropriate injunctive relief. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)
§ 2447. Data broker duty to protect information; standards; technical requirements
(a) Duty to protect personally identifiable information.
(1) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:
(A) the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program;
(B) the amount of resources available to the data broker;
(C) the amount of stored data; and
(D) the need for security and confidentiality of personally identifiable information.
(2) A data broker subject to this subsection shall adopt safeguards in the comprehensive security program that are consistent with the safeguards for protection of personally identifiable information and information of a similar character set forth in other State rules or federal regulations applicable to the data broker.
(b) Information security program; minimum features. A comprehensive information security program shall at minimum have the following features:
(1) designation of one or more employees to maintain the program;
(2) identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including:
(A) ongoing employee training, including training for temporary and contract employees;
(B) employee compliance with policies and procedures; and
(C) means for detecting and preventing security system failures;
(3) security policies for employees relating to the storage, access, and transportation of records containing personally identifiable information outside business premises;
(4) disciplinary measures for violations of the comprehensive information security program rules;
(5) measures that prevent terminated employees from accessing records containing personally identifiable information;
(6) supervision of service providers, by:
(A) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and
(B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information;
(7) reasonable restrictions upon physical access to records containing personally identifiable information and storage of the records and data in locked facilities, storage areas, or containers;
(8)(A) regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personally identifiable information; and
(B) upgrading information safeguards as necessary to limit risks;
(9) regular review of the scope of the security measures:
(A) at least annually; or
(B) whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personally identifiable information; and
(10)(A) documentation of responsive actions taken in connection with any incident involving a breach of security; and
(B) mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personally identifiable information.
(c) Information security program; computer system security requirements. A comprehensive information security program required by this section shall at minimum, and to the extent technically feasible, have the following elements:
(1) secure user authentication protocols, as follows:
(A) an authentication protocol that has the following features:
(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and format that do not compromise the security of the data they protect;
(iv) restricting access to only active users and active user accounts; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access; or
(B) an authentication protocol that provides a higher level of security than the features specified in subdivision (A) of this subdivision (c)(1);
(2) secure access control measures that:
(A) restrict access to records and files containing personally identifiable information to those who need such information to perform their job duties; and
(B) assign to each person with computer access unique identifications plus passwords, which are not vendor-supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls or a protocol that provides a higher degree of security;
(3) encryption of all transmitted records and files containing personally identifiable information that will travel across public networks and encryption of all data containing personally identifiable information to be transmitted wirelessly or a protocol that provides a higher degree of security;
(4) reasonable monitoring of systems for unauthorized use of or access to personally identifiable information;
(5) encryption of all personally identifiable information stored on laptops or other portable devices or a protocol that provides a higher degree of security;
(6) for files containing personally identifiable information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personally identifiable information or a protocol that provides a higher degree of security;
(7) reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive the most current security updates on a regular basis or a protocol that provides a higher degree of security; and
(8) education and training of employees on the proper use of the computer security system and the importance of personally identifiable information security.
(d) Enforcement.
(1) A person who violates a provision of this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.
(2) The Attorney General has the same authority to adopt rules to implement the provisions of this chapter and to conduct civil investigations, enter into assurances of discontinuance, and bring civil actions as provided under chapter 63, subchapter 1 of this title. (Added 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019.)
Protection of Personal Information (Vermont Statutes, Title 9, Sec. 2430 through 2445, approved May 18, 2006, effective January 1, 2007.)
For more information, see here: https://legislature.vermont.gov/statutes/chapter/09/062
AND
https://sos.vermont.gov/corporations/other-services/data-brokers/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.