On May 8, 2012, the State of Vermont amended its Security Breach Notice Act. was amended. The changes included:
- The breach can be either a known unauthorized acquisition, or a "reasonable belief of an unauthorized acquisition..."
- Breach notice must be provided to Vermont residents within 45 days after discovery of the breach
- Breach notice must be given to the Vermont Attorney General with 14 business days of the date the breach was discovered, or the date affected Vermont residents were notified
- Breach notice must include the date discovered, a description of the breach, the number of Vermont residents affected, and a copy of the notice sent to affected Vermont resident
- Textual changes to make the law's description of sensitive personal information consistent with the industry-standard, PII (Personally Identifiable Information)
Breach notice to affected Vermont residents must describe the incident, the date of the breach, the types of personal data lost/stolen, and methods to protect sensitive personal data from further breaches