April 2, 2023

Volume XIII, Number 92


March 31, 2023

Subscribe to Latest Legal News and Analysis

March 30, 2023

Subscribe to Latest Legal News and Analysis

Vermont Is First Mover Regulating Data Brokers

Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.

Programs need to have at least one employee that maintains it, and the program should identify and evaluate potential risks. Data brokers must also have security policies in place, which policies include disciplinary action for non-compliance. They must also, under the law, monitor and document both the program and security breaches.  The law includes a variety of technical standards to which a comprehensive security program must adhere.  This is very similar to the program set forth in the FTC’s BLU settlement we reported on recently.

Credit reporting agencies are a type of data broker under the law, and must follow specific requirements. These include a standard written notice to consumers and rules related to the placing of security freezes on a consumer’s credit report.

Personal information controlled by the law includes not just sensitive information like biometric data, but also contact information and several types of demographic information. Brokers are required to register annually with the Secretary of State.  As part of the annual registration, brokers need to give information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Putting it Into Practice: This law is a reminder that more and more, legislators are drafting laws with specifics about data protection requirements and privacy and security programs. Here, for companies that are in the business of sharing information that they have not collected directly from consumers, this law is an important one to review.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 197

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Alyssa Sones, Sheppard Mullin Law Firm, Century City, Cybersecurity and Litigation Attorney

Alyssa M. Sones is an associate in the Business Trial Practice Group. She is the Lead Associate of Sheppard Mullin’s Retail, Fashion & Beauty Industry Team and serves as an Editor for its Retail Trend Spotter blog. Alyssa is also an active member of the firm’s Privacy and Cybersecurity Team and a Certified Information Privacy Professional (CIPP/US).

Areas of Practice

Alyssa excels at helping businesses resolve disputes with customers. She is dedicated to guiding clients through thorny state and...