Vermont lawmakers recently passed a first-of-its-kind data broker law, which protects consumers from credit freeze fees, data fraud and clarifies data security requirements.

The new law defines a data broker as: “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

The Vermont Data Broker Law requires that data brokers:

• register annually with the Secretary of State.
• incorporate standard security measures in handling their personally identifiable information.
• notify authorities of security breaches.
• eliminate fees associated with initiating or lifting credit freezes. Note: The Economic Growth, Regulatory Relief and Consumer Protection Act signed by President Trump on May 24 also includes a provision that eliminates fees associated with initiating or lifting credit freezes.

The law refers to “Brokered PI” which is broader than the definition of personally identifiable information (PII) that is the subject of the law’s information security program requirements. Brokered PI includes one or more elements such as name address, place of birth, mother’s maiden name, biometric authentication data, contact information of immediate family members, Social Security numbers or other government identification numbers, or “other information that, alone or in to combination with the other information sold or licensed, should allow a reasonable person to identify the consumer with reasonable certainty.”

When registering with the Secretary of State, data brokers are required to disclose whether and what activities consumers can opt out of with respect to the collection of brokered personal information (PI) and the method for doing so. In addition, the registration must include a statement on whether the data broker implements a purchaser credentialing process, the number of security breaches the broker has experienced in the last year, whether it has actual knowledge that it possesses brokered PI relating to minors, and any additional information or explanation the data broker chooses to provide concerning its data collection practices. It is expected that consumers and regulators will be able to access this registry.

The law requires that data brokers develop, implement and maintain a comprehensive written information security program appropriate to the size, scope and type of business and shall adopt safeguards that are consistent with the safeguards for personally identifiable information. The law specifies minimum features of an information security program to include the designation of one or more employees to maintain the program, identification and assessment of reasonably foreseeable internal and external risks to the security of the PII and employee training, supervision of service providers, reasonable access restriction, and regular monitoring, and upgrading information safeguards to limit risks. The law also requires a number of specific requirements relating to authentication protocols, encryption of PII stored on laptops or other portable devices, and other measures to ensure security of the networks.

In addition to the disclosures required in the registration process, the law allows consumers to request and obtain specific information from credit reporting agencies, including the names of users requesting their information in the last 12 months.

The effective date relating to data brokers (registration and data security obligations, is January 1 2019. The other provisions will take effect immediately.

The Attorney General has authority to enforce the law and adopt rules to implement the law.

Finally, the law requires that the Attorney General file a report on or before January 15, 2019 with respect to whether additional legislative and regulatory approaches are necessary to protect the data security and privacy of Vermont consumers including whether to create or designate a Chief Privacy Officer and whether to expand or reduce the scope of regulation to businesses with direct relationships to consumers.

In a press statement, Attorney General TJ Donovan said that “Vermonters care about their privacy” and commented that the law “not only saves them money, but it gives them information and tools to help them keep their personal information secure.” In 2017, AG Donovan convened a working group in partnership with the Department of Financial regulation that issued a report with a menu of options for the legislature to consider. The new law incorporated some of those recommendations.