Vermont Act of 171: Data Broke Act of 2018

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> I'm Chris and I'm Cyber Agent Instructor
00:00
for its US Information Privacy course.
00:00
We're going to continue our review
00:00
of US state-level data privacy,
00:00
data security, and other applicable laws.
00:00
In lesson 9.3,
00:00
we're going to look at the Vermont Act 171,
00:00
which has its Data Broker Act of 2018.
00:00
Now I must say that this act was the first act
00:00
that required data brokers at the US State level,
00:00
to actually register and comply with how they handled
00:00
a Vermont resident's brokered personal information,
00:00
which is somewhat different than
00:00
the broader definition of personal information.
00:00
In 2020 January, California was another state that had
00:00
a requirement that data brokers registered with
00:00
the state attorney general
00:00
and other states have also done that.
00:00
We have several learning objectives.
00:00
We're going to look at
00:00
the act's applicability and definition.
00:00
We're going to define what it means
00:00
to be brokered personal information.
00:00
We're going to look at some of those obligations that
00:00
data brokers who would have to comply with
00:00
this act must meet.
00:00
We're going to talk about some
00:00
of those registration requirements,
00:00
and we'll close our discussion with review
00:00
of the minimum security standards that
00:00
those data brokers must have in place
00:00
to be in compliance with this act.
00:00
Let's talk about Vermont's Data Broker Regulation.
00:00
The regulation has three parts.
00:00
It has a requirement that
00:00
data brokers have to comply with this act,
00:00
have to register annually
00:00
with the Vermont Secretary of State,
00:00
and it must provide certain information
00:00
and pay an annual fee.
00:00
There's a requirement that
00:00
those same data brokers was maintain
00:00
a certain minimum data security
00:00
>> standards when processing
00:00
>> and handling what's known as
00:00
brokered personal information or BPI.
00:00
Then the act has a prohibition on the use
00:00
of this information by
00:00
these data brokers in cases of fraud,
00:00
and in cases that they intentionally violate this act.
00:00
What is a data broker under this law?
00:00
A data broker is someone,
00:00
when antedated collects and sells the licenses of
00:00
>> Vermont residents' commercial information,
00:00
>> with whom they don't have a direct relationship.
00:00
Who might that be?
00:00
It could be a retailer that sells information about
00:00
his customers to a third party
00:00
or licenses that information,
00:00
it could be a charity that sells
00:00
that information about his donors.
00:00
Now, who was not considered a broker?
00:00
If you are a business that
00:00
both collects data and use it for
00:00
your own internal use or
00:00
analyze it for your own internal use,
00:00
then you're not considered a
00:00
>> data broker under this law.
00:00
>> What's an example? Now that could
00:00
be an insurance company that's buying
00:00
this type of consumer data in
00:00
order to set rates and develop new products.
00:00
But it doesn't resell
00:00
that information so that it would not
00:00
be considered a data broker under this law.
00:00
The law it self really pertains to
00:00
those consumers that are physically
00:00
residing in the State of Vermont.
00:00
If you are a data broker and
00:00
>> you have no data on Vermont,
00:00
>> a residence, then you don't have to comply
00:00
with this Data Broker Act.
00:00
What type of information are we talking about?
00:00
This act really identifies what's
00:00
known as brokered personal information.
00:00
Now the first requirement is that
00:00
this information must be
00:00
computerized or in electronic format.
00:00
The second requirement is that
00:00
the organization that's collecting any information for
00:00
sale or for transfer or licensing to
00:00
a third party with
00:00
which it does not have a direct relationship,
00:00
has to categorize or
00:00
organize that information for
00:00
dissemination to that third part.
00:00
What's an example? You can have a company
00:00
of self as categorized in information such as,
00:00
people with incomes over a $100,000,
00:00
and then they're selling or licensing
00:00
that information to a third party,
00:00
with whom it doesn't have that direct relationship,
00:00
then that wouldn't be considered BPI.
00:00
What is BPI?
00:00
It could be a name,
00:00
it could be an address, it could be a date of birth,
00:00
place of birth, your mother's maiden name,
00:00
certain types of bio-metric information,
00:00
it could be the name or address of that consumers,
00:00
immediate family or household,
00:00
or it could be some type of
00:00
government issued identifier,
00:00
like a social security number.
00:00
Or it could be any information like
00:00
we've seen with other definitions,
00:00
that alone and in combination
00:00
with these other identifiers,
00:00
is sold a license that would allow
00:00
reasonable person be able to identify
00:00
or re-identify that customer.
00:00
Now BPI doesn't include
00:00
publicly available information only to
00:00
the extent that is related to a business or profession.
00:00
If I were a doctor's office,
00:00
my office address and phone number is not BPI,
00:00
but my home phone number
00:00
and address would be considered BPI,
00:00
if I wasn't using it for business purposes.
00:00
Let's look at the obligations of a data broker.
00:00
It has some responsibilities to register with
00:00
the Vermont Secretary of State
00:00
annually and provide certain information,
00:00
and pay a fee annually of a $100.
00:00
It also has to maintain
00:00
a minimum data security standards to protect
00:00
that information. How do you register?
00:00
You go to the Vermont Secretary of State's website,
00:00
you fill out an online form,
00:00
and then you have to do this by each year,
00:00
by January 31st,
00:00
and you have to provide certain information,
00:00
contact information on the data broker.
00:00
You have to acknowledge that
00:00
the information that they receive.
00:00
If you allow them,
00:00
customers to opt out a different practices,
00:00
you got to detail how you allow them to do so,
00:00
and when you allow them to do so.
00:00
You also have to ensure that you include
00:00
a statement whether the data broker
00:00
implements a purchaser credentialing process.
00:00
You'd have to give them explicit details on it,
00:00
but you've got to account for it.
00:00
Then you also have to account for
00:00
the number of breaches of BPI.
00:00
Another requirement is,
00:00
you have to talk about what happens if I don't comply?
00:00
Beginning in February 1st of that year,
00:00
then you can be fined a penalty of
00:00
$50 for each day that you failed to register.
00:00
Then that fee can be up to a
00:00
>> maximum of $10,000 per year.
00:00
>> You still got to pay
00:00
the $100 registration fee so just paying it.
00:00
I mean, that's right thing to do.
00:00
When you look at minimum security standards
00:00
that you must maintain,
00:00
you can look to Massachusetts data security law,
00:00
which is the most prescriptive data security
00:00
>> requirements of any state in the United States.
00:00
>> Vermont has adopted
00:00
a similar approach to information security.
00:00
It requires those data brokers
00:00
to have to comply with this act,
00:00
you got to have and implement
00:00
a comprehensive information security program
00:00
and maintain that in writing.
00:00
You've got to have someone
00:00
overseeing your security program.
00:00
You've got to conduct periodic risk assessments.
00:00
You've got to make sure that all
00:00
those people that are touching and
00:00
handling that BPI or train,
00:00
whether they're core employees or contractors.
00:00
You got to make sure that you have ways
00:00
to really deal with incident response.
00:00
You've got to make sure that you have
00:00
those security in place,
00:00
policies in place, and then make them
00:00
available to those employees and contractors.
00:00
You got to have provisions
00:00
for sanctions and termination,
00:00
should these employees occur,
00:00
contractors violate the law.
00:00
You've got to have access control mechanisms in place,
00:00
oversee your third party advertisers,
00:00
review and update this program as needed.
00:00
Now it also has requirements,
00:00
that if you're selling or licensing
00:00
BPI from a computer system security perspective,
00:00
you also got to use secure user authentication
00:00
>> protocols, have secure access control measures.
00:00
>> You got to make sure that you use an encryption
00:00
anytime that you have data in
00:00
transit and use encryption of
00:00
that information on laptops and portable devices.
00:00
There are also other information
00:00
security and computer security requirements,
00:00
and I encourage you to read this act and its entirety.
00:00
Question one asks,
00:00
the Vermont Act 171,
00:00
consists of which main parts?
00:00
The appropriate answers are A, B,
00:00
and C. Question two
00:00
ask about the definition
00:00
of brokered personal information.
00:00
The appropriate answers are A, B, C,
00:00
and D. In summary,
00:00
the Vermont Act 171 Data Broker Registration Act
00:00
is the first of it's kind in the United States,
00:00
establishes those requirements for
00:00
those data brokers that
00:00
must comply with this act and
00:00
those that are collecting
00:00
brokered personal information from
00:00
residents of Vermont within the state.
00:00
It defines for us what it means
00:00
to be brokered personal information,
00:00
and provides guidance on
00:00
those minimum data security standards,
00:00
it also states obligations at these entities must meet.
Up Next