Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ignore my obligations as a service provider with access to personal information in Vermont? What are the requirements?

Based on the context documents, as a service provider with access to personal information in Vermont, you cannot ignore your obligations. You are required to comply with the Vermont Financial Privacy Act and the Vermont Consumer Protection Act.

Requirements for Service Providers with Access to Personal Information in Vermont

As a service provider with access to personal information in Vermont, you are required to comply with the following requirements:

  1. Execution of warrant for information kept by service provider [13 VTST 8105][1.1]: If a warrant is issued under this chapter, it may be addressed to any Vermont law enforcement officer. The officer shall serve the warrant upon the service provider, the service provider’s registered agent, or, if the service provider has no registered agent in the State, upon the Office of Secretary of State in accordance with 12 V.S.A. §§ 851-858. If the service provider consents, the warrant may be served via U.S. mail, courier service, express delivery service, facsimile, electronic mail, an Internet-based portal maintained by the service provider, or other reliable electronic means. The physical presence of the law enforcement officer at the place of service or at the service provider’s repository of data shall not be required.
  2. Service provider’s response to warrant [13 VTST 8106][1.2]: The service provider shall produce the items listed in the warrant within 30 days unless the court orders a shorter period for good cause shown, in which case the court may order the service provider to produce the items listed in the warrant within 72 hours. The items shall be produced in a manner and format that permits them to be searched by the law enforcement officer.
  3. Exception to Opt In Requirements for Disclosure of Nonpublic Personal Information for Service Providers and Joint Marketing [VTCR 21-010-016 § 14][3.1]: The opt-in requirements in Sections 8 and 11 do not apply when a financial institution provides nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf, if the financial institution provides the initial notice in accordance with Section 5, enters into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes, and for joint agreements for marketing, provides only the consumer’s name, contact information and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act, 15 U.S.C. § 1681a (d)(2)(A)(i) and the Vermont Fair Credit Reporting Act, 9 V.S.A. § 2480a (2)(A).
  4. Exception to Opt In Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing [VTCR 21-020-053 § 14][5.1]: The opt-in requirements in Sections 8 and 11 do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with Section 5, enters into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes, and for joint agreements for marketing, provides only the consumer’s name, contact information and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act, 15 U.S.C. section 1681 a(d)(2)(A)(i) and the Vermont Fair Credit Reporting Act, 9 V.S.A. § 2480a (2)(A).
  5. Purpose; Scope; Application; Compliance rules; Exception for Information about Business Customers [VTCR 21-010-016 § 2][3.2]: This regulation governs the treatment of nonpublic personal information about consumers by the financial institutions listed in subsection C of this section. This regulation requires a financial institution to provide notice to individuals about its privacy policies and practices, describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, requires financial institutions to obtain consumer consent prior to disclosing that information, subject to the exceptions in Sections 14, 15, 16 and 17 of this regulation and 8 V.S.A. § 10204 and subject to the federal Fair Credit Reporting Act and Vermont Fair Credit Reporting Act, and provides an exemption from the provisions of 8 V.S.A. §§ 10201 et seq. for information about business customers.
  6. Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information [VTCR 21-020-053 § 12][5.2]: If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in Sections 15 or 16 of this regulation, the licensee’s disclosure and use of that information is limited. If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in Sections 15 or 16 of this regulation, the licensee may disclose the information only to the affiliates of the financial institution from which the licensee received the information, to its affiliates, or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in Sections 15 or 16 of this regulation, the third party may disclose and use that information only as follows: to the licensee’s affiliates, to its affiliates, or pursuant to an exception in Sections 15 or 16 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
  7. Qualified personal information protection company [8 VTST 2453][2.1]: A personal information protection company shall qualify to conduct its business under the terms of this chapter, chapter 72 of this title, and applicable rules adopted by the Department of Financial Regulation. A person shall not engage in business as a personal information protection company in this State without first obtaining a license from the Department. A personal information protection company shall maintain a place of business in this State, appoint a registered agent to accept service of process and to otherwise act on its behalf in this State, and annually hold at least one meeting of its governing body in this State, at which meeting one or more members of the body are physically present. A personal information protection company shall develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information, and which may include the use of blockchain technology, as defined in 12 V.S.A. § 1913, in some or all of its business activities.
  8. Oversight of Service Provider Arrangements [VTCR 21-020-055 § 8][6.1]: The licensee exercises appropriate due diligence in selecting its service providers and requires its service providers to implement appropriate measures designed to meet the objectives of this regulation, and, where indicated by the licensee’s risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

Conclusion

As a service provider with access to personal information in Vermont, you cannot ignore your obligations. You are required to comply with the Vermont Financial Privacy Act and the Vermont Consumer Protection Act. You must comply with the requirements for execution of warrant for information kept by service provider, service provider’s response to warrant, exception to opt-in requirements for disclosure of nonpublic personal information for service providers and joint marketing, purpose; scope; application; compliance rules; exception for information about business customers, limits on redisclosure and reuse of nonpublic personal financial information, qualified personal information protection company, and oversight of service provider arrangements.

Source(s):
Jurisdiction

Vermont