On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law provides that entities regulated by Vermont’s Department of Financial Regulation “shall provide notice of a breach to the Department [of Financial Regulation].” Such entities need not notify Vermont’s Attorney General. For affected institutions, such notice will be in addition to any notice required by applicable federal regulations. The new requirements were effective immediately upon signing.
The North Dakota legislature has also been occupied with data privacy by expanding the definition of “personal information” within its breach notification law. Under the new definition of House Bill No. 1435, both “health insurance information” and “medical information” have been added to the definition of “personal information.” By expanding this definition, the North Dakota legislature effectively expands the scope of breach-notice obligations to include these new categories. “Health insurance information” is defined within the law as “an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is also broadly defined as “any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
The same North Dakota law, however, also modifies the existing law in order to exempt HIPAA “covered entities” and “business associates” from notice obligations under North Dakota law. In case of an unauthorized acquisition of personal information, such entities remain subject to federal breach-notice regulations (especially the Final Rule).
The North Dakota law takes effect August 1, 2013.