Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.

Programs need to have at least one employee that maintains it, and the program should identify and evaluate potential risks. Data brokers must also have security policies in place, which policies include disciplinary action for non-compliance. They must also, under the law, monitor and document both the program and security breaches.  The law includes a variety of technical standards to which a comprehensive security program must adhere.  This is very similar to the program set forth in the FTC’s BLU settlement we reported on recently.

Credit reporting agencies are a type of data broker under the law, and must follow specific requirements. These include a standard written notice to consumers and rules related to the placing of security freezes on a consumer’s credit report.

Personal information controlled by the law includes not just sensitive information like biometric data, but also contact information and several types of demographic information. Brokers are required to register annually with the Secretary of State.  As part of the annual registration, brokers need to give information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Putting it Into Practice: This law is a reminder that more and more, legislators are drafting laws with specifics about data protection requirements and privacy and security programs. Here, for companies that are in the business of sharing information that they have not collected directly from consumers, this law is an important one to review.