Vermont

The law requires any data collector that owns or licenses computerized personal information about a consumer to provide notice if there is a security breach.

No notice is required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection.

The law covers ‘Personal Information" which means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:

1. Social Security number;
2. Motor vehicle operator's license number or non-driver identification card number;
3. Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords;
4. Account passwords or personal identification numbers or other access codes for a financial account.