Liisa M. Thomas and Shanna M. Pearce of Sheppard, Mullin, Richter & Hampton LLP write:
On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers must keep a record of “data broker breaches” and annually tell this information to the state. Brokers will need to provide this as part of a new annual registration process. The registration also requires data brokers to explain how they let individuals opt-out of having information collected, stored or sold. Finally, data brokers also have to develop and maintain a comprehensive information security program.
Data broker breaches are defined as unauthorized acquisition of “broker personal information.” This is broader than personal information that triggers general breach notice obligations
Read more on The National Law Review.