1. Home
  2. States
  3. Vermont

Vermont

Table of Contents

Data breaches are increasingly prevalent as society becomes increasingly dependent on technology. The breaches may happen accidentally due to oversights or via purposeful infiltration, which is much more common. Cybercriminals have made a career out of accessing and stealing personal information through hacking, malware, ransomware, denial of services, and identity theft. Vermont is one of the lower populated states, ranking 52nd in the number of victims of data breaches yearly. In 2023, though, it incurred $ 8,818,181 in losses due to data breaches. Most of these incidents happened in local government and retail facilities.

Identity Theft Statistics

Identity Theft
Reports
49TH
State Rank (Reports per 100K Population)
338
Identity Theft Reports
Fraud & Other
Reports
44TH
State Rank (Reports per 100K Population)
3,102
Total Fraud & Other Reports
Fraud
Losses
$2.3M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
24%
Identity Theft
10%
Online Shopping and Negative Reviews
8%
Banks and Lenders
6%
Prizes, Sweepstakes and Lotteries
6%
Telephone and Mobile Services
6%
Auto Related
5%
Internet Services
4%
Credit Cards
3%
Debt Collection
2%

Top Identity Theft Types

33%
221
Credit Card Fraud
23%
152
Bank Fraud
17%
115
Other Identity Theft
9%
59
Loan or Lease Fraud
7%
45
Phone or Utilities Fraud
7%
45
Employment or Tax-Related Fraud
4%
28
Government Documents or Benefits Fraud

Vermont's Recent Biggest Data Breaches

2023
December

Southeast Vermont Transit Data Breach

In December 2023, the Southeast Vermont Transit discovered unusual activities in its network. The transportation service immediately disconnected the network and engaged a third-party cybersecurity company to assist with securing its environment. Based on the findings, the information involved included names, direct deposit details, driver's license records, pick-up and drop-off as well as accessibility for transit purposes. 3,500 individuals were affected during this incident, and the company sent them notification letters as an update on the breach. SEVT also improved its security protocols and provided those affected with 12 months of credit monitoring.

2023
September

Central Vermont Home Health & Hospice Data Breach

In September 2023, the Central Vermont Home Health and Hospice discovered a data breach from an employee's user account. The compromise of this account could have resulted in the accidental exposure of personal information. CVHH immediately began an investigation in collaboration with a third-party cybersecurity firm. The information exposed included names, addresses, birth dates, and Social Security numbers. That said, there was no evidence to suggest that the personal information was misused. The Central Vermont Home Health and Hospice sent notification letters to everyone affected by the data breach incident. The organization also indicated they took the incident seriously and offered those affected twelve months of credit monitoring.

2023
September

Central Vermont Regional Planning Commission Data Breach

On September 14, 2023, the Central Vermont Regional Planning Commission experienced a data breach. On discovering the issue, the personnel and their IT service provider closed the system to external access. They also reviewed all logs to determine the scope of the unauthorized access. Personnel also replaced all hardware that may have been vulnerable during the incident. From the investigation, names, addresses, emails, and dates of birth may have been accessed. There was no evidence that personal information was being used for malicious reasons. CVRPC has since sent notification letters to all who were affected. The company also provided those affected 24 months of free credit monitoring and a $1,000,000 insurance reimbursement policy.

2023
August

Vermont Department of Labor Data Breach

In August 2023, the Vermont Department of Labor Systems was accessed by unauthorized users they could not identify. On learning about the issue, the Department and Agency of Digital Services removed access to the documentation and corrected the website misconfiguration. The group also investigated which specific files were accessed during the incident. The affected documents included names, birth dates, addresses, and Social Security numbers. The Department of Labor stated they take information protection seriously and issued notification letters to all affected. Credit monitoring and identity protection services were given as well.

2022
December

Vermont Christmas Company Data Breach

The Vermont Christmas Company experienced a data breach between November 2021 and December 2022. On discovering the incident, the company began an investigation to see the extent of the damage. From the investigation, it was determined that names, email addresses, billing addresses, payment card numbers, CVV codes, and expiration dates were accessed. VCC claimed that it understood the incident's seriousness and reviewed its procedures concerning third-party vendors. Vermont Christmas Company also issued notification letters to all who were affected. It encouraged its customer base to stay vigilant against identity theft and fraud by continually reviewing their financial accounts.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

State regulations mandate that all organizations disclose data breaches to Vermont residents in the event of a relevant incident. These breaches must be reported within 45 days after the discovery of the event. There is an exception for delays in the notification, especially if a law enforcement agency requests it due to conflicting interests.

Businesses must also notify the Vermont Attorney General or the Department of Financial Regulation within 14 days of learning about the incident. Notices to the Attorney General are to entail the date of the breach, the number of the residents affected, and a description of the breach. If the date of the incident is not determined, the business will send a notice to the attorney general's office immediately when the date becomes apparent.

Notices may be given by written letters mailed to the residence, telephone calls, or electronic mail to those affected. Substitute notices are also available if the business is unaware of the contact details of all affected. Similarly, if the notice costs more than $10,000, then a substitute one can be sent. Substitute notices are implemented by a conspicuous posting on the business's website, statewide media alert, or email to the affected individuals. The state's attorney general has the power to enforce penalties for not abiding by these regulations.

Laws

  • The Vermont Security Breach Notice Act addresses businesses and their notification processes for consumers as well as the Attorney General. It also considers the definitions of a security breach event and what should be disclosed in a notification letter.
  • The Vermont Data Privacy Act provides individuals the ability to access, correct, or delete information that entities have concerning them. Citizens can also opt out of using personal data for targeted advertising or sales.

Resources

Table of Contents