§ 2445 - Safe destruction of documents containing personal information
§ 2445. Safe destruction of documents containing personal information
(a) As used in this section:
(1) "Business" means sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this state, any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but in no case shall it include the state, a state agency, or any political subdivision of the state. The term includes an entity that destroys records.
(2) "Customer" means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.
(3) "Personal information" means the following information that identifies, relates to, describes, or is capable of being associated with a particular individual: his or her signature, Social Security number, physical characteristics or description, passport number, driver's license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
(4)(A) "Record" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted.
(B) "Record" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
(b) A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of:
(1) ensuring the security and confidentiality of customer personal information;
(2) protecting against any anticipated threats or hazards to the security or integrity of customer personal information; and
(3) protecting against unauthorized access to or use of customer personal information that could result in substantial harm or inconvenience to any customer.
(c) An entity that is in the business of disposing of personal financial information that conducts business in Vermont or disposes of personal information of residents of Vermont must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.
(d) This section does not apply to any of the following:
(1) Any bank, credit union, or financial institution as defined under the federal Gramm Leach Bliley law that is subject to the regulation of the Office of the Comptroller of the Currency, the Federal Reserve, the National Credit Union Administration, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision of the U.S. department of the treasury, or the department of banking, insurance, securities, and health care administration and is subject to the privacy and security provisions of the Gramm Leach Bliley Act, 15 U.S.C. § 6801 et seq.
(2) Any health insurer or health care facility that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.
(3) Any consumer reporting agency that is subject to and in compliance with the Federal Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended.
(e) Enforcement.
(1) With respect to all businesses subject to this section, other than a person or entity licensed or registered with the department of banking, insurance, securities and health care administration under Title 8 or this title, the attorney general and state's attorney shall have sole and full authority to investigate potential violations of this section, and to prosecute, obtain and impose remedies for a violation of this section, or any rules adopted pursuant to this section, and to adopt rules under this act, as the attorney general and state's attorney have under chapter 63 of this title. The superior courts shall have jurisdiction over any enforcement matter brought by the attorney general or a state's attorney under this subsection.
(2) With respect to a person or entity licensed or registered with the department of banking, insurance, securities, and health care administration under Title 8 or this title to do business in this state, the department of banking, insurance, securities, and health care administration shall have full authority to investigate potential violations of this act, and to prosecute, obtain, and impose remedies for a violation of this act, or any rules or regulations made pursuant to this act, as the department has under Title 8 and this title, or any other applicable law or regulation. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007.)