Vermont Cybersecurity Laws You Should Know (2026)

Vermont is at the forefront of cybersecurity and data privacy policy, with robust breach notification requirements and a comprehensive state privacy law that took effect in 2023. If your business collects, stores, or processes personal data about Vermont residents, you must understand the state’s cybersecurity obligations to protect sensitive information and stay compliant.

Vermont Cybersecurity and Data Privacy Laws

Vermont Security Breach Notification Law (9 V.S.A. § 2435)

The Vermont Security Breach Notification Law requires businesses, government agencies, and third-party agents that own or license personal information about Vermont residents to notify affected individuals as soon as practicable and without unreasonable delay after discovering a security breach.

Key requirements include:

• Timing: Notice must be provided promptly once the breach has been confirmed and the scope understood.
• Attorney General notice: If the breach affects more than 1,000 Vermont residents, the business must also notify the Vermont Attorney General and provide a description of the incident and the steps taken in response.
• Consumer reporting agencies: Notice to consumer reporting agencies is required when a large number of residents are affected.
• Breach content: Notifications must describe the breach, the type of personal information involved, and recommended protective steps for affected individuals.

Personal information generally includes a person’s name in combination with Social Security number, driver’s license number, financial account numbers with access codes, or other unique identifiers that could facilitate identity theft.

Vermont Data Privacy Law (9 V.S.A. § 2430 et seq.) – Effective July 1, 2023

Vermont’s comprehensive data privacy law, often called the Vermont Consumer Data Privacy Act (CDPA), took effect on July 1, 2023, and is fully applicable in 2026. It gives Vermont residents strong privacy rights and imposes obligations on businesses that collect or process personal data.

Consumer rights under the Vermont CDPA include:

• Right to access personal data collected about them
• Right to correct inaccuracies
• Right to delete personal data
• Right to opt out of the sale of personal data
• Right to opt out of targeted advertising

Business obligations include:

• Implementing reasonable data security practices
• Publishing transparent privacy notices
• Conducting data protection assessments for high-risk processing activities (e.g., targeted advertising, profiling)
• Allowing individuals to exercise privacy rights free from discrimination

Applicability thresholds:
The law applies to organizations that (1) conduct business in Vermont or target Vermont residents, and (2) either:

• Control or process personal data of 100,000+ consumers, or
• Control or process personal data of 25,000+ consumers and derive over 25% of gross revenue from the sale of personal data.

Enforcement:
Violations are treated as unfair or deceptive acts or practices under Vermont law and can be enforced by the Vermont Attorney General. Businesses typically receive a notice and an opportunity to cure before penalties are imposed.

Vermont Consumer Protection Act (9 V.S.A. § 2451 et seq.)

The Vermont Consumer Protection Act prohibits unfair and deceptive acts or practices in trade and commerce. Misrepresenting cybersecurity or privacy practices, or failing to implement reasonable safeguards for personal data, can be treated as a deceptive act.

Sector-Specific Cybersecurity Requirements That Affect Vermont Businesses

Vermont Insurance Data Security Law (8 V.S.A. § 4089i)

Vermont has adopted a state-level insurance data security law modeled on the NAIC Insurance Data Security Model Law. It requires insurance licensees and certain related entities to:

• Maintain written cybersecurity programs
• Conduct risk assessments
• Report qualifying cybersecurity events
• Provide timely notification to the Vermont Department of Financial Regulation

These rules help ensure insurers and agents have robust security programs to protect sensitive policyholder information.

Federal and Additional Cybersecurity Regulations That Apply Nationwide

In addition to Vermont state law, many businesses operating in the state must also comply with federal and industry standards:

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to Vermont businesses that process credit card payments. It requires encryption, access control, and continuous monitoring to prevent payment data breaches.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to Vermont healthcare organizations and business associates that handle personal health information (PHI). It mandates administrative, technical, and physical safeguards for patient data.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in Vermont must comply with GLBA, which requires secure information systems, employee training, and consumer privacy notices.

General Data Protection Regulation (GDPR)

GDPR applies to Vermont businesses that collect or process personal data from EU residents. It mandates explicit consent, transparency, and the right to delete personal information.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

Financial institutions in Vermont with operations in New York must comply with NYDFS cybersecurity regulations, requiring encryption, multifactor authentication, and incident reporting.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is widely used across Vermont’s key industries, particularly technology, energy, and manufacturing, to identify, protect, detect, respond to, and recover from cybersecurity incidents.

Federal Trade Commission (FTC) Act

Under the FTC Act, Vermont businesses must maintain reasonable cybersecurity standards and cannot misrepresent their data protection practices.

Children’s Online Privacy Protection Act (COPPA)

If your Vermont business collects personal data from children under 13, COPPA applies. It requires verified parental consent and limits data sharing or tracking.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in Vermont must comply with SOX, which enforces accurate financial reporting and secure data management systems.

Family Educational Rights and Privacy Act (FERPA)

FERPA applies to Vermont schools and businesses handling student educational records. It requires written consent before disclosing identifiable student data.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA requires critical infrastructure entities, including those in energy, technology, and manufacturing, to report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act governs commercial email marketing practices, requiring accurate sender information, clear subject lines, and simple opt-out mechanisms.

Defense Federal Acquisition Regulation Supplement (DFARS)

Vermont defense contractors must comply with DFARS cybersecurity standards aligned with NIST SP 800-171, ensuring protection of controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits deceptive or negligent cybersecurity practices, holding Vermont businesses accountable for failing to protect consumer data or misrepresenting security controls.

Best Practices for Complying in Vermont Cybersecurity Laws

To align with Vermont requirements, businesses should adopt the following cybersecurity and privacy best practices:

• Conduct regular risk assessments and third-party vendor evaluations.
• Maintain a written privacy policy and security program that aligns with Vermont CDPA and breach laws.
• Encrypt sensitive data both in transit and at rest.
• Implement access controls and multi-factor authentication.
• Create and test incident response and breach notification procedures.
• Train employees on privacy rights, phishing, and social engineering threats.
• Use recognized cybersecurity frameworks like NIST, ISO 27001, or CIS Controls.

These measures not only support compliance but also strengthen defenses against emerging threats such as ransomware and insider risk.

Conclusion

In 2026, Vermont’s cybersecurity landscape includes robust breach notification law, a mature comprehensive data privacy law (CDPA), insurance data security requirements, and consumer protection enforcement. Compliance with these laws, as well as applicable federal cybersecurity standards, helps organizations protect personal information, reduce legal risk, and build trust with customers and residents.

Frequently Asked Questions About Vermont Cybersecurity Laws

1. What is Vermont’s main cybersecurity law?
   The Vermont Security Breach Notification Law (9 V.S.A. § 2435) requires prompt notification to affected individuals after a breach of personal information.
2. Does Vermont have a privacy law?
   Yes. The Vermont Consumer Data Privacy Act (CDPA) took effect July 1, 2023 and grants residents broad data rights while imposing obligations on covered businesses.
3. Who enforces Vermont cybersecurity and privacy laws?
   The Vermont Attorney General’s Office enforces breach notification and privacy requirements.
4. How quickly must a business notify individuals of a breach?
   Notice must be provided as soon as practicable and without unreasonable delay once a breach has been confirmed and its scope reasonably understood.
5. What thresholds trigger the Vermont privacy law?
   The CDPA applies to entities that control or process the personal data of 100,000+ consumers, or 25,000+ consumers with 25%+ of revenue from selling personal data.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2026)

Ohio Cybersecurity Laws You Should Know (2026)

Virginia Cybersecurity Laws You Should Know (2026)

North Carolina Cybersecurity Laws You Should Know (2026)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.