Vermont and North Dakota Amend Breach-Notice Laws


On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law provides that entities regulated by Vermont’s Department of Financial Regulation “shall provide notice of a breach to the Department [of Financial Regulation].” Such entities need not notify Vermont’s Attorney General. For affected institutions, such notice will be in addition to any notice required by applicable federal regulations. The new requirements were effective immediately upon signing.

The North Dakota legislature has also been occupied with data privacy by expanding the definition of “personal information” within its breach notification law. Under the new definition of House Bill No. 1435, both “health insurance information” and “medical information” have been added to the definition of “personal information.” By expanding this definition, the North Dakota legislature effectively expands the scope of breach-notice obligations to include these new categories. “Health insurance information” is defined within the law as “an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is also broadly defined as “any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”

The same North Dakota law, however, also modifies the existing law in order to exempt HIPAA “covered entities” and “business associates” from notice obligations under North Dakota law. In case of an unauthorized acquisition of personal information, such entities remain subject to federal breach-notice regulations (especially the Final Rule).

The North Dakota law takes effect August 1, 2013.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.