Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in Vermont? What are the requirements?

Using Third-Party Cloud Storage Services that Collect Personal Information in Vermont

If you are using third-party cloud storage services that collect personal information in Vermont, you must ensure that the service provider is compliant with Vermont’s data privacy laws.

Under Vermont law, if you are a data broker and you collect personal information in Vermont, you must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the data broker obligated to safeguard the personally identifiable information under such comprehensive information security program. The program must also have specific minimum features, including secure user authentication protocols, secure access control measures, encryption of all transmitted records and files containing personally identifiable information, reasonable monitoring of systems for unauthorized use of or access to personally identifiable information, encryption of all personally identifiable information stored on laptops or other portable devices, and education and training of employees on the proper use of the computer security system and the importance of personally identifiable information security [3.1].

If you are a financial institution, you may disclose nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf, subject to certain conditions [1.1]. However, if you are not a financial institution and you receive nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in Sections 15 or 16, you may disclose the information only to certain parties, subject to certain conditions [1.3].

There are exceptions to the limits on disclosures of nonpublic personal information, such as for service providers and joint marketing [2.1]. If you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, you must provide the initial notice in accordance with Section 5, enter into a contractual agreement with the third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes, and for joint marketing agreements, provide only the consumer’s name, contact information, and own transaction and experience information within the meaning of the federal Fair Credit Reporting Act and the Vermont Fair Credit Reporting Act [2.1].

In summary, if you are using third-party cloud storage services that collect personal information in Vermont, you must ensure that the service provider is compliant with Vermont’s data privacy laws. If you are a data broker, you must develop and maintain a comprehensive information security program that contains specific minimum features. If you are a financial institution, you may disclose nonpublic personal information to a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf, subject to certain conditions. If you are not a financial institution and you receive nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in Sections 15 or 16, you may disclose the information only to certain parties, subject to certain conditions. There are exceptions to the limits on disclosures of nonpublic personal information, such as for service providers and joint marketing.

Source(s):
Jurisdiction

Vermont