The Vermont state legislature recently enacted a first-of-its-kind bill to regulate data brokers — without the signature of its governor, Phil Scott.
Following the Equifax data breach, and motivated by a December 2017 report from the Vermont attorney general and Department of Financial Regulation, H.764, An act relating to the regulation of data brokers, ultimately extends to data brokers requirements for information security programs similar to those mandated by the Gramm-Leach-Bliley Act and the Security Rule of the Health Insurance Portability and Accountability Act.
Definition of data broker
The law narrowly defines the term “data broker” as “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” To meet the criteria of a data broker, the individual must sell or license brokered personal information which is comprised of one or more computerized data element such as name, address, date or place of birth, mother’s maiden name, biometric data and the like, as well as “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party.”
An important limitation on the definition of “data broker” is that the law doesn’t apply to businesses that collect information from their own customers, employees, users or donors, or to businesses that “provide services for consumer-facing businesses and maintain a direct relationship with those consumers, such as a website, 'app,' and e-commerce platforms.”
Consumer protection requirements
The law applies four approaches to ensuring consumers’ protection: prohibiting the acquisition and use of data for fraudulent purposes; increasing transparency through registration and disclosure; freeing consumers from monetary deterrents; and providing for minimum information security requirements.
Prohibition on data use
The Vermont law prohibits the acquisition of brokered PI by fraudulent means and the acquisition and use of brokered PI for the purpose of stalking or harassment, committing fraud (e.g. identity theft, financial fraud, or e-mail fraud), or to engage in unlawful discrimination (including but not limited to employment and housing discrimination).
Transparency
Annual registration: Under the law, data brokers who sell or license “brokered personal information” must pay $100 and register annually with the Vermont Secretary of State by January 31 following a year in which a person meets the criteria for being a data broker.
Disclosures to consumers: Additionally, upon filing, a data broker must provide consumers with the name and primary physical email and internet addresses of the data broker, how to opt out of first-party and third-party data collection, whether the data broker implements a purchaser credentialing process, and if the business experienced any security breaches within the last year along with the number of individuals affected by breach. Data belonging to minors is subject to additional disclosure requirements.
Freedom from monetary deterrents
Vermont’s new law separately requires credit reporting agencies, not data brokers, to offer consumer credit security freezes and unfreezes free of charge. Consumers can already receive their credit report free once per year from each of the three major credit reporting agencies. Additionally, the law requires higher security requirements for authentication to be able to initiate or lift a credit freeze. This law also creates a one-stop shop for credit freezes in which a credit freeze with one credit reporting agency is required to initiated freezes with other credit agencies.
Requirement for information security program
Data brokers are required to develop, implement, and maintain a comprehensive information security program that is written, readily accessible and able to protect personally identifiable information with administrative, technical and physical safeguards appropriate the scope and size of the business. Requirements include:
- Designation of employees to maintain the program.
- Privacy risk assessments for reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, with a process for evaluating and improving the effectiveness of the current safeguards for limiting such risks.
- Record keeping for disciplinary measures for violations of the comprehensive information security program rules.
- Data minimization and limited employee access to records.
- Management of third-party vendors.
- Regular monitoring, review, and update the security program.
- Documenting actions taken in response to security breaches and post-incident reviews.
Additionally, the minimum requirements for the information security program should include computer system requirements for secure user authentication protocols including access controls, secure password requirements, encryption or protocols with a higher degree of security, reasonable monitoring of unauthorized access or use of personally identifiable information, and up-to-date system security software and training for employees. The attorney general may adopt rules to implement the new security provisions.
Enforcement
H.764 provides a layered effective date in which the findings and intent of the law, elimination of fees for placing or removing a credit freeze, and future report requirements went into effect immediately following its passage. However, data brokers will have until January 1, 2019, to comply with the annual registration, technical requirements and disclosures to consumers as presented in Chapter 62.
Enforcement of data broker registration is regulated by the Attorney General’s Office and can result in civil penalties, action in the Civil Division of the Superior Court to collect penalties, and appropriate injunctive relief. Failure to meet the new security program requirements can be declared “unfair and deceptive act[s] in commerce.” Lastly, an enforcement action must be brought by both the Attorney General. However, private citizens can seek civil action under credit reporting laws.