Peter A Clarke

It has been a feature of US law that the states are enacting privacy and data security laws at quite a rate to make up for the lack of federal oversight.  In that way some states in the USA is surpassing Australia, such as in California. 

Features of the Vermont law include:

• generally follows the provisions of the National Association of Insurance Commissioners’ Insurance Data Security Model Law;
• applies to licensees, defined as individuals licensed, authorised to operate, or registered, and those required to be licensed, authorised, or registered, under the Vermont Insurance Law, with exceptions;
• requires licensees to maintain a written information security program containing safeguards for the protection of non-public information and the licensee’s information system;
• provides that licensees must conduct a risk assessment to create a written information security program commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the non-public information;
• requires licensees to develop and periodically re-evaluate a retention schedule and destruction mechanism for non-public information, and establish a written incident response plan; and
• provides that the Vermont Insurance Data Security Law does not contain any private right of action, and that the Attorney General is entitled to issue administrative penalties of $1,000 per violation of its provisions, or $10,000 per wilful violation.