Office of the Vermont Attorney General

Privacy and Data Security

Personal information such as Social Security Numbers, credit and debit card numbers, and bank account information must be kept confidential and secure under Vermont law. This page describes how businesses and state agencies must protect consumers’ personal information and notify consumers in the event of a data security breach.

If you are concerned that someone is using your personal information to commit identity theft, please refer to our information on Identity Theft at our Consumer Assistant Program.

This page provides information on the following topics:

    • Duty to Notify Vermont Consumers and Attorney General of a Security Breach
    • Security Breach Notices
    • Data Security for Businesses
    • Use of Social Security Numbers

Duty to Notify Vermont Consumers and Attorney General of a Security Breach

Vermont’s Security Breach Notice Act requires businesses and state agencies to notify the Attorney General and consumers in the event a business or state agency suffers a “security breach.” A security breach is defined as the “unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency].”

14-day Notice: Businesses are required to notify the Office of the Attorney General within 14 days of discovering or being notified of a breach. This notification may be preliminary, and is kept confidential by statute. The form of affirmation required to waive the 14-day preliminary notice requirement can be found here (PDF).

Notice to Consumers: The notification to consumers must be sent as soon as possible and without unreasonable delay, and no later than 45 days after discovery or notice of the breach. Depending on the size of the breach, the notice must be individual in a specific form or through mass media.

Information on what to do in the event of a security breach is available in the Vermont Attorney General’s Security Breach Notification Guidance.

Security Breach Notices

The Attorney General maintains a list of notice letters received by the Office concerning incidents that may have compromised the personal information of Vermont residents.

Data Security for Small Businesses

If you would like to be added to our Data Security distribution list or have any questions about Data Security, please email ago.datasecurity@vermont.gov.

There are many helpful resources for Data Security guidance. Below are just a few:

Protecting Personal Information: A Guide for Business – Federal Trade Commission
Small Business Information Security: The Fundamentals – National Institute of Standards and Technology
Ten Cybersecurity Tips for Small Businesses – Federal Communications Commission
Copier Data Security: A Guide for Businesses – Federal Trade Commission

Use of Social Security Numbers

Vermont’s Social Security Number Protection Act requires businesses and state agencies to limit the use of Social Security Numbers and protect their confidentiality. In particular:

  • Businesses must safely destroy records that contain Social Security Numbers and other personal information.
  • State agencies and political subdivisions must take all reasonable steps to redact Social Security Numbers from a document before posting it in a public place.
  • Upon request, a town clerk or clerk of court must remove from a record placed on a town’s or court’s public website the person’s Social Security Number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) or password.

More information about all of these laws and recommended practices for protecting the confidentiality of Social Security Numbers is available in the Vermont Attorney General’s Guidance Concerning the Protection of Social Security Numbers.