Privacy and Data Security

Personal information such as Social Security Numbers, credit and debit card numbers, and bank account information must be kept confidential and secure under Vermont law. This page describes how businesses and state agencies must protect consumers’ personal information and notify consumers in the event of a data security breach.

If you are concerned that someone is using your personal information to commit identity theft, please refer to our information on Identity Theft.

This page provides information on the following topics:

Duty to Notify Vermont Consumers and Attorney General of a Security Breach
Past Security Breach Notices
Data Security for Businesses
Use of Social Security Numbers
Facebook Presentation

Duty to Notify Vermont Consumers and Attorney General of a Security Breach

Vermont’s Security Breach Notice Act requires businesses and state agencies to notify the Attorney General and consumers in the event a business or state agency suffers a “security breach.” A security breach is defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency].”

14-day Notice: Businesses are required to notify the Office of the Attorney General within 14 days of discovering a breach. This notification may be preliminary, and is kept confidential by statute. The form of affirmation required to waive the 14-day preliminary notice requirement can be found here (PDF).

Notice to Consumers: The notification to consumers must be sent as soon as possible and no later than 45 days after discovery of the breach. Depending on the size of the breach, the notice must be individual in a specific form or through mass media.

Information on what to do in the event of a security breach is available in the Vermont Attorney General’s Security Breach Notification Guidance.

Past Security Breach Notices

The Attorney General maintains a list of notice letters received by the Office concerning incidents that may have compromised the personal information of Vermont residents.

Data Security for Small Businesses

If you would like to be added to our Data Security distribution list or have any questions about Data Security, please email

  • What are the online threats to your business, your customers, and your reputation?
  • What should you be doing to protect private information? >li> What are your legal responsibilities if you get attacked online?
  • The Attorney General and Norwich University’s Center for Advanced Computing and Digital Forensics are offering a series of initiatives to help protect Vermont’s small businesses and consumers online.

    Workshops: Cyber safety workshops have been held throughout Vermont. You can view the June 20, 2012 presentation here. Notice of future workshops will be sent through the Data Security distribution list.

    Scan Vermont: Norwich University will provide free data security scans for small businesses to help keep your online presence secure. If you are interested in this program, please submit an application here.

    Additional Resources for Businesses:

    Tips for Protecting Your Personal Information – Federal Trade Commission
    Protecting Personal Information: A Guide for Business – Federal Trade Commission
    Copier Data Security: A Guide for Businesses -- Federal Trade Commission

    Use of Social Security Numbers

    Vermont’s Social Security Number Protection Act requires businesses and state agencies to limit the use of Social Security Numbers and protect their confidentiality. In particular:

  • Businesses must safely destroy records that contain Social Security Numbers and other personal information.
  • State agencies and political subdivisions must take all reasonable steps to redact Social Security Numbers from a document before posting it in a public place.
  • Upon request, a town clerk or clerk of court must remove from a record placed on a town’s or court’s public website the person’s Social Security Number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) or password.
  • More information about all of these laws and recommended practices for protecting the confidentiality of Social Security Numbers is available in the Vermont Attorney General’s Guidance Concerning the Protection of Social Security Numbers.

    Facebook Presentation

    On May 29, 2012, Attorney General Bill Sorrell, Facebook, and Essex High School hosted a presentation for parents, students, and school staff to show them how to be safe when using Facebook. Topics discussed included:

  • the general anatomy of a Facebook page,
  • how to report, prevent and diffuse instances of bullying on Facebook
  • privacy settings,
  • age restrictions, and
  • how to use these tools for better protection.
  • You can watch the video here.

    Published: Jul 25, 2014