Vermont Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Vermont operates one of the more protective data breach notification frameworks in the United States. While many states require a single notification to their attorney general alongside consumer notices, Vermont stands apart with its two-stage reporting process: a preliminary notice to the Attorney General within 14 days, followed by consumer notification within 45 days.

The current law is codified at 9 V.S.A. 2430 (definitions) and 9 V.S.A. 2435 (notification requirements). Originally enacted in 2006, the statute underwent major revisions through Act 89 of 2020 (S.110), effective July 1, 2020, which expanded the definition of personal information, added login credentials protections, and created the 14-day preliminary AG notice requirement.

For a broader look at Vermont's privacy framework, see the parent guide to [Vermont Data Privacy Laws](/us-laws/data-privacy-laws/vermont-data-privacy-laws).

Who Must Comply

Vermont's law applies to "data collectors," which the statute defines broadly. A data collector is any person, association, municipality, corporation, or other entity that, for any purpose, receives, stores, maintains, processes, or otherwise has access to personally identifiable information of Vermont residents.

This includes both private businesses and government entities. Third-party service providers that handle personal information on behalf of a data collector are also subject to the law.

Entities regulated by the Vermont Department of Financial Regulation (DFR), such as banks, insurance companies, and other financial institutions, must report breaches to DFR rather than the Attorney General. All other entities report to the AG.

What Qualifies as Personal Information

Under 9 V.S.A. 2430, "personally identifiable information" is defined as a consumer's first name or first initial and last name combined with any of the following unencrypted data elements:

• Social Security number
• Driver's license or state identification card number
• Financial account number, credit card number, or debit card number (if usable without additional authentication)
• Passwords, personal identification numbers, or other access codes for a financial account
• Individual taxpayer identification number
• Passport number
• Military identification card number
• Unique biometric data generated from measurements or technical analysis of human body characteristics, such as fingerprint, retina, or iris images
• Genetic information

The 2020 amendments through Act 89 added several of these categories, including biometric data, genetic information, passport numbers, military IDs, and taxpayer identification numbers.

Login credentials are also independently protected. A consumer's username or email address combined with a password or security question answer that permits access to an online account qualifies as protected information, even without a name match.

Personal information does not include publicly available information lawfully made available to the general public from government records.

What Triggers the Notification Requirement

A "security breach" under Vermont law means the unauthorized acquisition of electronic data, or a reasonable belief of unauthorized acquisition, that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information or login credentials maintained by a data collector.

When a data collector becomes aware of a potential breach, it must conduct an investigation. If the investigation determines that personal information has been or is reasonably believed to have been compromised, the notification requirements are triggered.

The discovery date is not the date the investigation is completed. It is the earliest date the entity became aware of, or had a reasonable belief of, unauthorized activity affecting personal information.

The Two-Stage Notification Timeline

Vermont's notification framework has two distinct deadlines, making it more demanding than most states.

Stage 1: Preliminary Attorney General Notice (14 Days)

Within 14 days of discovering or being notified of a security breach, the data collector must submit a preliminary notice to the Vermont Attorney General.

This preliminary notice is kept confidential by statute. It allows the AG's office to begin monitoring the situation and provide guidance before consumer notifications go out. The preliminary form captures basic information about the breach, including what happened, what data was affected, and the estimated number of Vermont residents impacted.

For entities regulated by the Department of Financial Regulation, this preliminary notice goes to DFR instead.

Stage 2: Consumer Notification (45 Days)

The data collector must notify affected consumers as soon as possible and without unreasonable delay, but no later than 45 days after discovery or notification of the breach.

The 45-day clock starts from the date the entity discovered or was notified of the breach, not from the date the investigation concluded.

Law enforcement may request a delay in consumer notification if it would impede a criminal investigation. Notification must proceed as soon as law enforcement determines it will no longer compromise the investigation.

What the Consumer Notice Must Include

Vermont specifies the content of breach notification letters. Notices to affected consumers must include:

• A description of the incident in general terms
• The type of personally identifiable information that was compromised
• Steps the data collector has taken to protect the consumer's data from further breaches
• A telephone number for the data collector that the consumer may call for further information and assistance
• Advice directing the consumer to remain vigilant by reviewing account statements and monitoring free credit reports
• The toll-free numbers, addresses, and websites for the major consumer reporting agencies
• The toll-free number, address, and website for the Federal Trade Commission

For breaches involving login credentials specifically, the notice must direct the consumer to promptly change their password and security questions for the affected account and for any other account where the consumer used the same credentials.

Attorney General Reporting

In addition to the 14-day preliminary notice, the data collector must submit a completed Security Breach Reporting Form to the Attorney General once the investigation is complete and consumer notices have been sent.

The AG's office maintains a public list of security breach notices on its website, providing transparency about breaches affecting Vermont residents.

There is no minimum threshold for AG notification in Vermont. Even a single affected Vermont resident triggers the reporting requirement.

Substitute Notice

Vermont allows substitute notice when direct notification is not feasible. A data collector may use substitute notice if it demonstrates that:

• The cost of providing direct notice would exceed $5,000
• The affected class exceeds 5,000 consumers
• The data collector does not have sufficient contact information

Substitute notice requires all three of the following: email notification (if email addresses are available), conspicuous posting on the entity's website, and notification to major statewide media outlets.

Encryption Safe Harbor

Vermont provides an encryption safe harbor. Personal information that is encrypted, redacted, or protected by another method rendering it unreadable or unusable by unauthorized persons is not subject to the notification requirements.

The encryption must have been in place at the time of the unauthorized acquisition. If encryption keys were also compromised in the breach, the safe harbor does not apply.

Interaction with Federal Regulations

Entities that maintain procedures for breach notification pursuant to federal law or regulation, such as HIPAA for healthcare entities or the Gramm-Leach-Bliley Act for financial institutions, are deemed in compliance with Vermont's notification requirements if they comply with their federal obligations.

However, these entities must still file the preliminary 14-day notice with the Attorney General or the Department of Financial Regulation, as applicable.

Enforcement and Penalties

The Vermont Attorney General enforces the breach notification law under the authority of the Vermont Consumer Protection Act (9 V.S.A. Chapter 63). State's attorneys may also enforce the law within their jurisdictions.

There is no private right of action under the breach notification statute. Only the AG and state's attorneys can bring enforcement actions.

Penalties can be substantial:

• Civil penalties of up to $10,000 per violation
• Each day past the statutory deadline that each consumer is not notified is considered a separate violation
• Each day past the 14-day deadline that the AG is not notified is also a separate violation

This per-day, per-consumer calculation means that penalties can accumulate rapidly for large breaches with delayed notification.

The AG may also issue Civil Investigative Demands (civil subpoenas) to investigate potential violations and may seek injunctive relief to compel compliance.

More Vermont Laws

• Vermont Recording Laws
• Vermont Recording Laws
• Vermont Recording Laws
• Vermont Recording Laws
• Vermont Data Privacy Laws
• Vermont Recording Laws
• Vermont Recording Laws
• Vermont Recording Laws

Sources and References

This article references Vermont state statutes and official guidance from the Vermont Attorney General's office. Nothing in this article constitutes legal advice. Consult a licensed attorney in Vermont for guidance on specific compliance obligations.

• 9 V.S.A. 2430: Definitions (Vermont Security Breach Notice Act)
• 9 V.S.A. 2435: Notice of Security Breaches
• Act 89 of 2020 (S.110) Full Text
• Vermont AG Security Breach Notification Guidance (June 2020)
• Vermont AG Preliminary Breach Reporting Form
• Vermont AG Security Breach Reporting Form
• Vermont AG Privacy and Data Security
• Vermont DFR Data Breach Notifications