Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to use that data for advertising. More specifically, Vermont’s H.764 defines “data broker” as one “in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship.” Citing the importance of regulating cybersecurity, this law requires all data brokers to register with the State of Vermont and install “minimum features” in their information security programs. These “minimum features” include identification of anticipated risks, employee training, and measures for discovering and responding to data breaches. Further, data brokers must annually disclose to the Attorney General information about the data collected, any data breaches, and general information regarding data collection, storage and sales. Violations of H.764 are subject to prosecution from the Vermont Attorney General under the state’s unfair and deceptive acts statute.
The “minimum features” provided for in the Vermont statute are truly “minimum,” at least insofar as the technology is concerned. Given that information is itself the “product” of data brokers, it is unlikely that any of these companies do not already employ sophisticated technology to ensure cybersecurity. However, there are two main aspects of this legislation that should be emphasized for data brokers, and also happen to be applicable to other companies handling data. First, with this law Vermont is implementing a concrete oversight mechanism for a particular business field that is separate from, and in addition to, Vermont’s Security Breach Notice Act. In other words, we are now seeing regulation stacking for companies that are in the business of collecting and storing data, similar to what exists for many traditional enterprises and manufacturers. It is therefore incumbent upon companies to employ or retain outside consulting experts to identify any applicable regulations, which overlap, and where any gaps between them exist. Second, H.764 shares a common thread with virtually every cybersecurity and privacy law in this country and the world – annual reviews. Registration, disclosures, and submission of the information security programs are due annually along with confirmation that there are regular internal reviews. Governments have long accepted that data breaches are inevitable, and instead focus on ensuring annual cybersecurity “check-ups”. All companies should therefore conduct annual reviews of its cybersecurity technology, data breach response mechanisms, and any regulations that could apply to those activities. While the Vermont legislation applies only to data brokers, we have already seen oversight creep of various regulatory bodies into the cyber sphere, and it is all but guaranteed to continue at a rapid pace in 2019.