Privacy and Data Security

Attorney General Sorrell Announces Data Security For Small Businesses Workshop

Facebook Presentation
The Vermont Cyber Security Project

Cyber Safety for Small Businesses
Scan Vermont
Weekend Cyber Security Bootcamp
Privacy and Data Security Round Table

Data Breaches and Identity Theft

Duty to Notify Vermont Consumers of a Security Breach
Security Breach Notices
Use of Social Security Numbers
Additional Resources

Facebook Presentation

On May 29, 2012, Attorney General Bill Sorrell, Facebook, and Essex High School hosted a presentation for parents, students, and school staff to show them how to be safe when using Facebook. Topics discused included:

the general anatomy of a Facebook page,

how to report, prevent and diffuse instances of bullying on Facebook

privacy settings,

age restrictions, and

how to use these tools for better protection.

You can watch the video here.

The Vermont Cyber Security Project

The Attorney General and Norwich University’s Center for Advanced Computing and Digital Forensics are offering a series of initiatives to help protect Vermont’s small businesses and consumers online.

If you would like to be added to our Cyber Security distribution list please click here.

Cyber Safety for Small Businesses:

What are the online threats to your business, your customers, and your reputation?

What should you be doing to protect private information?

What are your legal responsibilities if you get attacked online?

Cyber safety workshops have been held in Montpelier (June 20, 2012) and Burlington (September 12, 2012). You can view the June 20, 2012 presentation here and here. Additional workshops are being planned.

For further information and to reserve your space contact: cybersecurity@atg.state.vt.us.

Scan Vermont: Norwich University will provide free data security scans for small businesses to help keep your online presence secure. If you are interested in this program, please submit an application here.

Weekend Cyber Security Bootcamp:

The Vermont Office of the Attorney General in partnership with the Norwich University Center for Advanced Computing and Digital Forensics (NUCAC-DF) will present a day-long seminar in data security for small business. Using a boot camp format, attendees will be taken through the core technologies for securing networks, the technical side of PCI (Payment Card Industry) security requirements and what to do to comply, and important issues such as controlling malware, detecting intrusions and responding to attacks.

One of the more interesting points to be covered is a look at how cyber criminals attack a system. Attendees will get a chance to perform actual hack attacks and configure servers to resist those attacks. The approach is heavily hands-on and the class will be conducted in the NUCAC-DF’s Cyber Weapons Range War Room which also houses the Norwich Threat Analysis Center (NTAC). The War Room connects directly to the NUCAC-DF’s $2 million virtual computing center, a system separate from the University network and designed for lab-based classes such as this one.

Attendees will largely be those responsible for supporting the technical aspects of small business computing systems in Vermont.

Date:

Date to be determined.

For further information and to reserve your space contact: cybersecurity@atg.state.vt.us.

Privacy and Data Security Legislation Discussion: The Attorney General has been working with stakeholders to determine what legislation would protect Vermont consumers and businesses online? Roundtable discussions were held on August 8 and November 27, 2012. A listserv has been set up to circulate proposed language and to discuss potential legislation. If you are interested in being on the listserv, contact: cybersecurity@atg.state.vt.us.

In order to better serve the needs of Vermont's online community, and to understand how e-commerce is conducted in Vermont, we would like you to fill out this survey.

Data Breaches and Identity Theft

Personal information such as Social Security Numbers and credit and debit card numbers must be kept confidential and secure under Vermont law. This page describes how businesses and state agencies must protect consumers’ personal information and notify consumers in the event of a data security breach.

More information about how consumers and businesses can protect personal information is available under the list of Additional Resources below. If you are concerned that someone is using your personal information to commit identity theft, please refer to our information on Identity Theft.

Duty to Notify Vermont Consumers of a Security Breach

Vermont’s Security Breach Notice Act requires businesses and state agencies to notify consumers in the event a business or state agency suffers a “security breach.” A security breach is defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the [business or state agency].” 9 V.S.A. § 2430(8).

Information on what to do in the event of a security breach is available in the Vermont Attorney General’s Security Breach Notification Guidance.

The form of affirmation required to waive the 14-day preliminary notice requirement as set forth in 9 V.S.A. § 2435(b)(3)(A)(i) can be found here (PDF) or here (Word).

Security Breach Notices

The Attorney General maintains a list of notice letters received by the Office concerning incidents that may have compromised the personal information of Vermont residents

If you are concerned that someone is using your personal information to commit identity theft, please refer to our information on Identity Theft.

Use of Social Security Numbers

Vermont’s Social Security Number Protection Act requires businesses and state agencies to limit the use of Social Security Numbers and protect their confidentiality.

In addition, any person has the right to request that a town clerk or clerk of court remove from a record placed on a town’s or court’s public website the person’s Social Security Number, employer taxpayer identification number, driver’s license number, state identification number, passport number, checking account number, savings account number, credit card or debit card number, or personal identification number (PIN) or password. 9 V.S.A. § 2440(f).

Businesses must safely destroy records that contain Social Security Numbers and other personal information. 9 V.S.A. § 2445.

State agencies and political subdivisions must take all reasonable steps to redact Social Security Numbers from a document before posting it in a public place. 9 V.S.A. § 2480m.

More information about all of these laws and recommended practices for protecting the confidentiality of Social Security Numbers is available in the Vermont Attorney General’s Guidance Concerning the Protection of Social Security Numbers.

Additional Resources

Tips for Protecting Your Personal Information
Protecting Personal Information: A Guide for Business