Skip to main content

Attorney General Donovan Issues Guidance on Changes to Data Breach Notification Law

July 14, 2020

Passport numbers, login credentials, health information now considered “Personally Identifiable Information”

Contact: Charity R. Clark, Chief of Staff, 802-828-3171

Attorney General T.J. Donovan has released guidance to assist businesses in complying with changes to Vermont’s Security Breach Notice Act. As of July 1, 2020, more types of information—including health and genetic information, login credentials, and additional government IDs like passport numbers—are considered “Personally Identifiable Information” that requires notice to consumers if stolen or otherwise subject to a breach. By helping businesses understand the law, the guidance aims to help ensure that timely notice is provided to Vermont consumers so they can protect themselves if their sensitive information is exposed.

“I have always believed that the best way to enforce the law is to give people and businesses the opportunity to comply with the law by providing education and outreach,” said Attorney General Donovan. “Data breaches are an almost daily occurrence in the modern, digital economy. We owe it to businesses to be helpful and alert them to their obligations, and we owe it to consumers to be sure they are made aware if their personal information is at risk.”

The guidance published today provides a comprehensive overview of Vermont’s Notice Act and explains legal obligations, notice requirements, and updated definitions. The guidance also offers an extensive series of questions and answers to common problems, as well as tips, best practices, and even a model notice.

Since the beginning of the year, the Attorney General’s Office has received over 188 breach notices, which are posted at /categories/security-breaches. Before the change in law, businesses were only required to notify consumers if their Social Security, driver license, and financial account numbers, or financial account logins were exposed. Now, health information, genetic information, additional government IDs, and login credentials are also considered “Personally Identifiable Information” that require notice. The changes to the law that took effect earlier this month reflect how security breaches have changed over time and the expectations of consumers as to what types of information merit extra protection.

The guidance is not legal advice, and the Attorney General reminds Vermonters to contact an attorney with specific questions or concerns about their particular circumstances. For more information about security breaches, visit:

A copy of the guidance can be found here.