On May 22, 2018, Vermont’s first-in-the-nation law imposing disclosure and data security obligations on data brokers (H.764) went into effect was enacted. Calls for legislation to regulate data brokers are not new – at the federal level, the FTC proposed “targeted legislation” of the industry in a 2012 report on consumer privacy, and reiterated that proposal in a 2014 report specifically focused on data brokers. But until now, no data-broker-specific legislation had been enacted.

In addition to imposing a number of new requirements on data brokers (outlined below), the law also requires credit reporting agencies to provide and remove “security freezes” prohibiting the release of consumer credit reports at no charge. The data broker provisions will go into effect January 1, 2019, while the other sections of the law became effective upon passage.

Data Brokers

Vermont’s new law will impose several specific requirements on data brokers, including:

• Registration: Data brokers (defined as a business or business unit that collects and sells/licenses information to third parties about consumers with whom the business doesn’t have a direct relationship) have to register annually with the Vermont Secretary of State.
• Disclosures: The annual registration calls for a variety of mandatory annual disclosures, including:
  • If the data broker permits a consumer to opt-out of the data broker’s databases/data collection, how to do so and whether such opt-outs are limited and what collection/databases/sales of data consumers cannot opt out of;
  • Whether the data broker requires purchasers of its information to be credentialed in any way;
  • How many “data broker security breaches” the data broker experienced in the last year, including how many consumers were affected (if known):
    • A “data broker security breach” is defined as the unauthorized acquisition of two or more elements of unencrypted “brokered personal information” (“Brokered PI”) or the reasonable belief that such unauthorized acquisition has occurred;
  • Notably, “Brokered PI” is a much broader category than the more focused definition of personally identifiable information that is the subject of the legislation’s information security program requirements (see below) and that can trigger consumer notifications under Vermont’s generally applicable data breach reporting law. Brokered PI includes one or more elements such as a consumer’s name, address, place of birth, mother’s maiden name, biometric authentication data; the name or address of a consumer’s immediate family members or a consumer’s Social Security number or government-issued identification number; or “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty;”
  • If the data broker knows it possesses information about minors, a separate statement detailing data collection practices, sales activities, and opt-out procedure applicable to that information; and
  • Brokered PI does not include publicly available information about a consumer’s business or profession.

Enforcement of the registration requirements lies with the Attorney General. Failure to register and make the required disclosures may result in fines or “other penalties imposed by law.”

• Prohibitions on Acquisition and Use: The new law also bans the acquisition or use of brokered PI from a data broker through fraud, or for the purpose of stalking, committing a fraud (including identity theft), or engaging in discrimination. 
• Mandatory Information Security Program: Data brokers have to develop, maintain, and implement a “comprehensive information security program” to protect “personally identifiable information” (using the same definition found in Vermont’s data breach notification statute) with administrative, technical, and physical safeguards appropriate to the size and scope of the business, and must, at a minimum:
  • Designate employees to maintain the program;
  • Make risk assessments and implement subsequent mitigation processes, including employee training;
  • Adopt security policies;
  • Document disciplinary measures for program violations;
  • Create and maintain employee off-boarding procedures;
  • Manage third-party vendors;
  • Manage access to personally identifiable information;
  • Regularly monitor, review, and update the security program; and
  • Document actions taken in response to breaches of security and post-incident reviews;

The law also includes a very specific list of “computer system requirements” that must be implemented, to the extent technically feasible, including access controls, password requirements, and encryption (“or a protocol that provides a higher degree of security”) of all personally identifiable information transmitted wirelessly or over a public network, as well as on any laptops or other portable devices;

Notably, these security requirements generally align with the recommendations of the Federal Trade Commission in its published guidance, as well as the requirements contained in many of the consent decrees arising from FTC enforcement actions. 

Failure to maintain the required security program is declared to be an “unfair and deceptive act in commerce.” This means that enforcement actions can be brought either by the Attorney General or by a private citizen under the state’s consumer protection laws. The statute also gives the Attorney General authority to adopt rules to implement the new security provisions.

Credit Security Freezes

In reaction to the Equifax breach, widely publicized in the fall of 2017, Vermont’s new law requires credit reporting agencies (as defined under existing state law; not “data brokers”) to offer consumers free credit report security freezes and unfreezes. Freezes/unfreezes may be required by any consumer at any time. Under prior law, Vermont consumers had a general right to request or lift freezes for a fee and to receive notice of that right in any notice under 15 U.S.C. § 1681g (the Fair Credit Reporting Act). 

The new law modifies those provisions to require the freezes/unfreezes be provided at no charge. The law also clarifies that a consumer requesting a freeze should receive a PIN, a password, or some “equally or more secure method of authentication” for dealing with the credit reporting agency regarding the freeze.

Issues with the New Law

Consumer groups supported the new law.  Industry, for its part, opposed it on several grounds, including:

• The registration requirement provides no greater security, or even meaningful transparency, to consumers;
• Data breaches are already reportable under Vermont law, so the additional annual reporting requirement is unnecessary;
• The law’s definition of Brokered personal information is too broad, covering not only many innocuous data elements, but also any information that could be combined with other data to permit identification of a particular individual;
• Requiring registration of entities engaged in collecting and disseminating information raises potential First Amendment problems;
• Imposing obligations supposedly relating to Vermont, but in fact affecting a company’s entire (interstate) operations, raises potential Commerce Clause problems; and
• Requiring data brokers to have a data security program is both unnecessary and unduly detailed and prescriptive.

It remains to be seen how aggressive the Vermont Attorney General will be in enforcing these new provisions. For example, while data brokers’ failures to register are not expressly called out as “unfair and deceptive” acts (as are failures to maintain an adequate security system), registration failures are subject to “other penalties imposed by law,” so one can imagine the AG (or an aggressive plaintiff’s attorney) claiming that failure to publicly report the required information constitutes a form of “unfairness” or “deception.”

It also remains to be seen whether any affected firms will challenge the new law in court. Notably, in assessing potential legislation in this area, Vermont officials did not see significant litigation risk with regard to the registration/data provision aspects of the law, but they were less sanguine about provisions imposing security standards and data breach reporting.