Vermont Data Breach Notification Package

(Attorney General & Consumer Versions)

[// GUIDANCE: This template complies with Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435, current through the 2023 published version. It is designed for immediate attorney customization and use. Bracketed terms must be completed or revised before issuance.]

TABLE OF CONTENTS

1. Cover Letter to the Vermont Attorney General
2. Consumer Notice of Data Breach
3. Attachments & Exhibits Checklist

1. COVER LETTER TO THE VERMONT ATTORNEY GENERAL

[COMPANY LETTERHEAD]
[Street Address] • [City, State ZIP] • [Phone] • [E-mail]

[DATE]

Vermont Office of the Attorney General
Attn: Data Privacy & Consumer Protection Division
109 State Street
Montpelier, VT 05609

Re: Notice of Security Breach Pursuant to 9 V.S.A. § 2435
Attorney General Donovan:

Pursuant to 9 V.S.A. § 2435, [Company Legal Name], a [state of formation] [corporation/LLC/other] (“Company”), hereby provides notice of a security breach involving the personal information of Vermont residents.

1. Discovery & Breach Dates
   1.1 Date breach occurred: [MM/DD/YYYY]
   1.2 Date breach discovered: [MM/DD/YYYY]
   1.3 Date law enforcement informed (if applicable): [MM/DD/YYYY]
   1.4 Was a law-enforcement delay requested? [YES/NO]. If YES, attach written request.

2. Type of Personal Information Affected
   [Fully enumerate data elements compromised, e.g., “Names in combination with Social Security numbers and dates of birth.”]

3. Scope of Impact
   3.1 Total individuals affected (all jurisdictions): [NUMBER]
   3.2 Vermont residents affected: [NUMBER]
   3.3 States involved (if multistate): [LIST]

4. Incident Description
   A concise, factual summary of what happened, including:
   • Method of breach (e.g., phishing, system intrusion, lost device)
   • Systems or databases impacted
   • How breach was contained

5. Remediation Measures Undertaken
   • Immediate containment actions
   • Long-term security enhancements (technical, administrative, physical)
   • Identity theft protection services offered (if any)

6. Consumer Notice
   A copy of the Consumer Notice letter (Exhibit A) is enclosed.
   Date of planned mailing/e-mailing to consumers: [MM/DD/YYYY]
   Method(s) of notice: [first-class mail/e-mail/substitute, specify]

7. Additional Notifications
   • National consumer reporting agencies notified: [YES/NO/N-A]
   • Other regulators notified: [LIST or “None”]

8. Contact for Follow-Up
   Name: [PRIMARY CONTACT]
   Title: [JOB TITLE]
   Telephone: [XXX-XXX-XXXX]
   E-mail: [EMAIL ADDRESS]

The Company is committed to full compliance with Vermont’s data-breach statutes and appreciates the Attorney General’s cooperation.

Respectfully submitted,

[AUTHORIZED SIGNATORY NAME]
[Title]

Enclosures:
• Exhibit A – Form Consumer Notice Letter
• Exhibit B – Law-Enforcement Delay Documentation (if any)
• Exhibit C – List of Vermont Residents (CONFIDENTIAL)
[// GUIDANCE: Forward the AG letter at least 14 business days before the consumer mailing unless the 45-day overall statutory deadline requires simultaneous notice.]

2. CONSUMER NOTICE OF DATA BREACH

[COMPANY LETTERHEAD]

[DATE]

IMPORTANT NOTICE OF DATA BREACH
To: [FIRST NAME LAST NAME]
Address: [STREET], [CITY], [STATE] [ZIP]

Dear [Mr./Ms.] [LAST NAME]:
1. What Happened
On [MM/DD/YYYY], we discovered unauthorized access to our [system/network]. Our investigation indicates that between [MM/DD/YYYY] and [MM/DD/YYYY], an unauthorized party [brief incident description].

2. What Information Was Involved
   The incident may have involved your:
   • [Social Security number]
   • [Driver’s license or state ID number]
   • [Financial account number + access code]
   • [Health/medical information]
   No passwords, biometric data, or payment-card CVV codes were involved. [Modify as needed.]

3. What We Are Doing
   • Immediately contained and remediated the intrusion.
   • Engaged independent cybersecurity experts to assist.
   • Enhanced network monitoring, multi-factor authentication, and employee training.
   • Offered you [XX] months of complimentary [identity theft protection/credit monitoring] services through [SERVICE PROVIDER]. Enrollment instructions are below.

4. What You Can Do
   • Review your account statements and credit reports.
   • Consider placing a free fraud alert or security freeze. To place a security freeze, contact each major credit bureau:
   – Equifax 800-349-9960 | freeze.equifax.com
   – Experian 888-397-3742 | www.experian.com/freeze
   – TransUnion 888-909-8872 | freeze.transunion.com
   • Remain vigilant and promptly report suspected identity theft to law enforcement and the Federal Trade Commission (FTC) at IdentityTheft.gov or 877-438-4338.

5. How to Enroll in Complimentary Services
   • Visit: [URL]
   • Enter Activation Code: [CODE]
   • Deadline to enroll: [MM/DD/YYYY] (at least 90 days from notice).

6. For More Information
   If you have questions, please call our dedicated response line at [XXX-XXX-XXXX] between [HOURS and TIME ZONE], or e-mail us at [EMAIL].

We regret this incident and any inconvenience it may cause you. Protecting your information remains our top priority.

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Name]

[// GUIDANCE: Vermont law forbids including statements that waive, disclaim, or limit rights. Keep tone informative and avoid marketing content.]

3. ATTACHMENTS & EXHIBITS CHECKLIST

1. Exhibit A – Final Consumer Notice Letter (AG Copy)
2. Exhibit B – Law-Enforcement Delay Documentation (if applicable)
3. Exhibit C – Confidential Vermont Resident List (AG only)
4. Exhibit D – Sample CRA Notice (required if >1,000 persons nationwide)
5. Exhibit E – Proof of Service/Certificate of Mailing

[// GUIDANCE: Maintain proof of mailing/e-mailing for at least five years to evidence statutory compliance and mitigate penalty exposure under 9 V.S.A. § 2435(f).]

End of Template