Can I skip having an information security program in place in Vermont? What are the requirements?

To comply with Vermont law, each licensee must implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The safeguards included in the information security program must be appropriate to the size and complexity of the licensee and the nature and scope of its activities ^[2.1]. The objectives of the information security program are to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer ^[2.2]. Therefore, it is not possible to skip having an information security program in place in Vermont if you are a licensee.

Source(s):

• [2.1] Information Security Program
• [2.2] Objectives of Information Security Program

Jurisdiction

Vermont

• Privacy