§ 2445. Safe destruction of documents containing personal information
(a) As used in this section:
(1) “Business” means sole proprietorship, partnership, corporation, association, limited
liability company, or other group, however organized and whether or not organized
to operate at a profit, including a financial institution organized, chartered, or
holding a license or authorization certificate under the laws of this State, any other
state, the United States, or any other country, or the parent, affiliate, or subsidiary
of a financial institution, but in no case shall it include the State, a State agency,
or any political subdivision of the State. The term includes an entity that destroys
records.
(2) “Customer” means an individual who provides personal information to a business for
the purpose of purchasing or leasing a product or obtaining a service from the business.
(3) “Personal information” means the following information that identifies, relates to,
describes, or is capable of being associated with a particular individual: his or
her signature, Social Security number, physical characteristics or description, passport
number, driver’s license or State identification card number, insurance policy number,
bank account number, credit card number, debit card number, or any other financial
information.
(4)(A) “Record” means any material, regardless of the physical form, on which information
is recorded or preserved by any means, including in written or spoken words, graphically
depicted, printed, or electromagnetically transmitted.
(B) “Record” does not include publicly available directories containing information an
individual has voluntarily consented to have publicly disseminated or listed, such
as name, address, or telephone number.
(b) A business shall take all reasonable steps to destroy or arrange for the destruction
of a customer’s records within its custody or control containing personal information
that is no longer to be retained by the business by shredding, erasing, or otherwise
modifying the personal information in those records to make it unreadable or indecipherable
through any means for the purpose of:
(1) ensuring the security and confidentiality of customer personal information;
(2) protecting against any anticipated threats or hazards to the security or integrity
of customer personal information; and
(3) protecting against unauthorized access to or use of customer personal information
that could result in substantial harm or inconvenience to any customer.
(c) An entity that is in the business of disposing of personal financial information that
conducts business in Vermont or disposes of personal information of residents of Vermont
must take all reasonable measures to dispose of records containing personal information
by implementing and monitoring compliance with policies and procedures that protect
against unauthorized access to or use of personal information during or after the
collection and transportation and disposing of such information.
(d) This section does not apply to any of the following:
(1) any bank, credit union, or financial institution as defined under the federal Gramm
Leach Bliley law that is subject to the regulation of the Office of the Comptroller
of the Currency, the Federal Reserve, the National Credit Union Administration, the
Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the
Office of Thrift Supervision of the U.S. Department of the Treasury, or the Department
of Financial Regulation and is subject to the privacy and security provisions of the
Gramm Leach Bliley Act, 15 U.S.C. § 6801 et seq.;
(2) any health insurer or health care facility that is subject to and in compliance with
the standards for privacy of individually identifiable health information and the
security standards for the protection of electronic health information of the Health
Insurance Portability and Accountability Act of 1996; or
(3) any consumer reporting agency that is subject to and in compliance with the Federal
Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended.
(e) Enforcement.
(1) With respect to all businesses subject to this section, other than a person or entity
licensed or registered with the Department of Financial Regulation under Title 8 or
this title, the Attorney General and State’s Attorney shall have sole and full authority
to investigate potential violations of this section, and to prosecute, obtain, and
impose remedies for a violation of this section, or any rules adopted pursuant to
this section, and to adopt rules under this chapter, as the Attorney General and State’s
Attorney have under chapter 63 of this title. The Superior Courts shall have jurisdiction
over any enforcement matter brought by the Attorney General or a State’s Attorney
under this subsection.
(2) With respect to a person or entity licensed or registered with the Department of Financial
Regulation under Title 8 or this title to do business in this State, the Department
of Financial Regulation shall have full authority to investigate potential violations
of this chapter, and to prosecute, obtain, and impose remedies for a violation of
this chapter, or any rules or regulations made pursuant to this chapter, as the Department
has under Title 8 and this title, or any other applicable law or regulation. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007.)