Vermont recently amended its data breach notification law. The changes will go into effect July 1, 2020. As amended, the definition of “personal information” now includes the following when combined with a consumer’s first name or first initial and last name:

• Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
• Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
• Genetic information; and
• Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.

The amended law also includes notification requirements for breaches of “login credentials” (a user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account). If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.

Putting it Into Practice: Beginning July 1, companies who suffer a breach that impacts login credentials will need to keep in mind the requirements under Vermont’s law. Companies should also keep in mind the expanded definition of personal information.