The State of Vermont has substantially revised its data protection and breach notification law. The revisions to 9 V.S.A. Chapter 62 are summarized below:
- The term “personally identifiable information” (PII) has been adopted and replaces the term “personal information” (PI).
- A “security breach” is now defined as “unauthorized acquisition of electronic data or a reasonable belief of unauthorized acquisition of electronic data.”
- The amendment also adds four factors for organizations to consider when determining whether PII has been acquired or is reasonably believed to have been acquired by an unauthorized person, including indications that the information: