M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Data Breach Laws in Vermont: What to Do to Protect Data

Businesses that store, collect, or otherwise handle protected information of Vermont residents must inform their customers any time their data is exposed. If protected data (names, SSNs, financial info, etc.) is lost in a breach, businesses have to notify customers within 45 days. In addition, businesses have to send a copy of their customer notification to a consumer reporting agency within 14 days of the breach.

Name of Law / Statute


Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.

Who Is Subject to Law?

Business entity or retail establishment that handles, collects, or otherwise deals with PI

Notification of Consumers?

Yes (within 45 days of discovery of breach)

By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies

Substitute Notice Threshold?

if cost of notice >$5000 or involves >500k residents

Notification of authorities / regulators required?

Yes (within 14 days of discovery or consumer notice, whichever is sooner)

By what means?

Copy of the notice to consumers

Regulatory Fines

Up to $10,000/violation

Credit monitoring requirement?

Must provide advice

Private lawsuits allowed?


Private damages cap?

Injunctions only; no damages

Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted or otherwise secured or modified to protect PI

Link to complete law

Vermont's data breach law

Read the full text of Vermont’s data breach law.

70% of businesses raise prices or cut hiring when sued