← All US breach laws·VT

Vermont data breach notification law

Vermont's data breach notification requirements under 9 V.S.A. §§2430, 2435 (Security Breach Notice Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
9 V.S.A. §§2430
Enforcer
Vermont Attorney General
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay, but no later than 45 days after discovery or notification of the breach
Notify the state regulator
Yes — preliminary notice to the AG within 14 BUSINESS DAYS of breach discovery (one of the shortest pre-notice windows), final notice within 45 days
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required when there is misuse or material risk of misuse — narrow exceptions
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Vermont law

First name/initial + last name with SSN, DL/state ID, financial account + access code, biometric data, OR username/email + password/security Q&A; ALSO standalone account + access code

Penalties and enforcement

Up to $10,000 per violation under Vermont Consumer Protection Act
Enforced by: Vermont Attorney General. Official regulator page →

Common pitfalls

Vermont's 14-business-day PRELIMINARY AG-notice is the shortest in the country — file even if the investigation is incomplete

Frequently asked questions

How long do I have to notify Vermont residents after a data breach?
In the most expedient time possible and without unreasonable delay, but no later than 45 days after discovery or notification of the breach
Do I have to notify the Vermont Attorney General?
Yes — preliminary notice to the AG within 14 BUSINESS DAYS of breach discovery (one of the shortest pre-notice windows), final notice within 45 days
Does Vermont require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Vermont's breach notification requirement?
Yes — Vermont has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Vermont residents sue me directly for a data breach?
No — Vermont's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Vermont law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, biometric data, OR username/email + password/security Q&A; ALSO standalone account + access code
What are the penalties for failing to comply with Vermont's breach notification law?
Up to $10,000 per violation under Vermont Consumer Protection Act

Related state breach laws

Texas (TX)
Tex. Bus. & Com. Code §521.053
Utah (UT)
Utah Code §§13-44-101 to 13-44-301
Virginia (VA)
Va. Code §18.2-186.6
Washington (WA)
Wash. Rev. Code §19.255.010

Pre-empt the Vermont breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Vermont's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit