Meetings
Transcript: Select text below to play or share a clip
[Unidentified (multiple short interjections; diarization mix)]: Good
[Michael Marcotte (Chair)]: afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Thursday, 02/26/2026, at 01:05 in the afternoon. So we're going to utilize this time until the floor to start looking at redraft of H2-eleven, which is at a broker bill, and to take some testimony. We have with us our legislative counsel, Rick Sable. Good
[Rick Sable (Office of Legislative Counsel)]: afternoon. Rick Sable with the Office of Legislative Counsel. So we're looking at draft 4.1 of H2 11. Share my screen. So the changes from the last draft are highlighted in yellow. And there's really kind of two categories of changes here. One category is the there were some recommendations from the Department of Financial Regulation, which I think you're hearing from them today. Is that correct, Adhan? So they'll explain those changes, why they think they were needed. And there were some updates to the deletion protocol that consumers would have through the bill provided by a data broker. So I will just speak to those changes. And of course, any questions about the overall scope of the bill, happy to answer maybe after I go over those changes, if that works for the chair. Okay. So we're going to go down to page eight. And this is a request from DFR. And this is fairly substantial when it comes to the Security Breach Notice Act. Currently, this definition of personally identifiable information under current law needs a consumer's first name or first initial and last name in combination with one or more of the following data elements about a consumer. So again, they'll testify as to how they want to change this, but it makes this category much wider in scope to where no longer would you need the first name or first initial and and last name in addition to something else. Now it would just be any one of these data categories, Social Security number, driver's license. And, again, they'll testify as to why that is and why they think it's necessary just for the security breach notice act authority in law. Okay. Next change is on page 10, the definition of processor. On the last draft, that last word highlighted business was data broker. So I'll read the whole definition. A processor means a person who performs any operation or set of operations, whether by manual or operated means, automated means, on brokered personal information or on sets of brokered personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of brokered personal information on behalf of a business. The recommendation here is to change it to business because later on in the bill, you'll see that they there's a exemption from the deletion mechanism if you're a processor of a data broker. So here,
[Unidentified (multiple short interjections; diarization mix)]: we
[Rick Sable (Office of Legislative Counsel)]: it was decided that maybe this would be a broader definition. It shouldn't just be a data broker processor. It should be any business who has their data being processed. This will make more sense in context when I get down to the deletion language. Okay. Going on to the next change, which is further down on page 16. This is the Security Breach Notice Act. This is, again, a request from DFR. So currently, when there has been one of these breaches we haven't talked a lot about this this Security Breach Notice Act, it's current law. But if there is one of these breaches, any business that collects data, which is a very wide scope, includes the state and state agencies. So if a entity has a security breach and they have to provide notice to consumers, one of the ways to provide notice is through telephone notice, calling them. And under current law, it is Again, you'll hear testimony that DFR the is concerned a lot of times the security, the businesses that have the breach leave a voicemail very quickly without trying to contact the consumer. So the request is if you provide telephonic notice or telephonic for those consumers who whom the data collector has a valid phone number is new language, provided the telephone contact is made directly with each affected consumer and not through a prerecorded message, and further provided that the data collector makes not less than five attempts to contact the consumer for a live conversation before the data collector may leave a voicemail providing information about the breach. So five attempts before you leave a voicemail. Section subsection C, just adding a heading that no other substantial changes so it's easier to read and understand the statute. D, same thing, adding the subheading exception to the notice requirement, no change to the law. E is the HIPAA compliance part of the Breach Notice Act. So again, DFR requested some language and the substantial change is down here on page 19 that if a business or entity claims that they don't have to provide notice or that something else requires them to not follow the Security Breach Notice Act because of HIPAA, they must provide notice to the AG or to DFR that this breach happened, not to the consumer, but to DFR or the AG along with a compliance of certification of compliance with HIPAA notifications. I'll let them explain the details of that. Subheadings added to subsection F and G, no other changes, waiver and financial institution. So, 2436, I have a brief comment here. There's no change in the draft of this. But if the committee wants to update the definition of personally identifying information, I'm gonna suggest, and it's, of course, up to you all, that this new statute not be included in the bill. So let me give you some background. This notice, 2436, is almost word for word the data breach security notice act, but I just went over 02/1935. It's almost word for word the same. This part of the bill was added before there was discussion about updating the personally identifying information definition and is maybe not necessary legally because go back up. This twenty four thirty five, the notice of security breaches applies to every data collector, which likely includes most data brokers. So data brokers already do have to comply with twenty four thirty five. The twenty four thirty six, the new Breach Notice Act, would apply to brokered personal information. That's the only difference, is that if there is a security breach of brokered personal information, at this point, as this bill is written, if you are content with those two definitions, those two definitions are very similar at this point. So what I mean is personally identifying information and brokered personal information are very, very similar. And in my opinion, legal opinion, you don't need a second act just for data brokers. And that's, again, it's a policy choice. But if you wanna make things simple for businesses, I don't think you need the second act that really would add no meaningful protection to consumers. That's my legal opinion, but of course and that's not in this draft because I it's it's a complex draft, I keep reading that. But I find things that we need to talk about, and that's my latest thing. Happy to answer questions about that or I can keep moving on.
[Unidentified (multiple short interjections; diarization mix)]: I'm all about simpler.
[Rick Sable (Office of Legislative Counsel)]: Yeah, and again, it's assuming that you all want to keep these definitions kind of as we're directing them to, but something to keep in mind.
[Herb Olson (Member)]: Okay. Skipping Okay. One question. So what's the law? What's the section of the law that this would be? Dislocated?
[Rick Sable (Office of Legislative Counsel)]: So 2435, nine VSA twenty four thirty five. It's literally right before this one. And
[Herb Olson (Member)]: you're saying some of the cleanup in the definitions are harmonizing, would further harmonize what we're talking about here? I have one question about the definition there. In the definition of the VP. I think it was personally in-depth information. Yep. Page a. You struck through consumer's first name and last name. Why would that not be considered personally identifiable information?
[Rick Sable (Office of Legislative Counsel)]: So this current definition requires those two things to be present along with a third data element. I get that. But why wouldn't the
[Unidentified (multiple short interjections; diarization mix)]: consumer's name
[Monique Priestley (Clerk)]: be said? I'm missing something. No, I think I get what you're saying here. I think he's saying the consumer's first or first name first initial, last name is struck in, but it's not added to the list of elements.
[Rick Sable (Office of Legislative Counsel)]: That's a list of information.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Yeah.
[Monique Priestley (Clerk)]: Is that what you're saying?
[Rick Sable (Office of Legislative Counsel)]: So is someone so that's a policy choice. Would you want someone's name to be a data breach? If just their name is alone, is that something that is personally identifiable information?
[Monique Priestley (Clerk)]: Oh, yeah. Because it's Werner. Right. So maybe it's a question for DFR because this was a request. Oh, okay. Gotcha.
[Michael Marcotte (Chair)]: But when we when we put this when we created this, that's PII wasn't wasn't PII if you just had first name, the first initial, last name. But in combination with the Social Security number, driver's license, and it becomes personally identifiable. That's the way we were looking at it how many years ago we put this in.
[Rick Sable (Office of Legislative Counsel)]: Okay. I'll think about it.
[Monique Priestley (Clerk)]: Let's ask TFI.
[Rick Sable (Office of Legislative Counsel)]: And this is something that I think we should all think about some more. I'm just thinking that it's not even legally necessary to have a separate one just for data brokers. Oh, get that. I get that. But maybe the definitions need additional work. Happy to have that conversation. Any more questions about the security breach notice language? Okay. So, we are moving down to the next change, is on did that one already. So, added a subheading on page 24. No change to the Oh, that is I do wanna mention one thing. Sorry. I didn't highlight it. DFR contacted me about something that they that I missed, and I wanna set it up for them. So back to 2435. It's not on the not in the bill, so you won't see it here, but there is language in the Security Breach Notice Act that in fact, have it here on the let's do this. Okay. So in the enforcement section of the Security Breach Notice Act, DFR highlighted that currently it's only if a entity, a data collector is registered with DFR, and they want they're gonna suggest that it be regulated by DFR and not just registered by DFR. So I'll let them describe why that would be beneficial for their work, but that's something not in this draft that I looked at it. I didn't have a problem with it, but something that you all should have a conversation about.
[Michael Marcotte (Chair)]: Okay.
[Rick Sable (Office of Legislative Counsel)]: On page 25, you've seen this before. This is me adding in a technical correction that is in h six fifty. I'm also putting it here. Hopefully, one of the bills moves so I can get this big get this item fixed. This is just correcting subchapter or chapter to subchapter. You're gonna see it in maybe 10 more bills by the time the session's over. And one of
[Michael Marcotte (Chair)]: them will make it through.
[Herb Olson (Member)]: Miscellaneous. I mean, it's the law of averages. Right? At some point.
[Rick Sable (Office of Legislative Counsel)]: Alright. On page 31. Okay. This is the deletion language. So there were no changes to the registration piece. A data broker still must register thirty days after becoming one, and then once annually, they must set the bond. That language from the last draft is still in this draft. We can have a conversation about it, but let me maybe get through the new language first. So subsection C, a data broker shall maintain a conspicuous page on its website where a consumer or an authorized agent of the consumer has the ability to request the data broker delete the consumer's brokered personal information free of charge. B, delete the consumer's brokered personal information not later than thirty days after the consumer makes a deletion request unless the data broker denies the request, pursuant to another exception down below. Notify the consumer that the consumer's brokered personal information has been deleted not later than five days after the information has been deleted. Two, the web page maintained by the data broker pursuant to this subsection shall describe how a consumer may exercise the consumer's right to delete their information, including the process for the consumer to appeal the denial of a deletion request pursuant to a later subdivision. They shall adhere to the accessibility and usability guidelines recommended by the Americans with Disability Act and the Rehabilitation Act 1973, and employee design practices that facilitate easy comprehension and navigation for all users and that are free of any dark patterns. Three, this is language that was in the last draft, but just to tee it up. A data broker may deny a consumer's request to delete the consumer's brokered personal information when they make a request to the extent that I'm gonna read these again. The retention of the consumer's brokered personal information is required by law or is required to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons. The brokered personal information is used by a consumer reporting agency to furnish a consumer report pursuant to the Fair Credit Reporting Act, necessary to investigate, establish, exercise, prepare for, or defend a legal claim, strictly necessary to fulfill a specific legal requirement on behalf of a business to which the data broker is bound by a written contract to fulfill that legal requirement, used to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or to preserve the technical integrity or physical security of systems or investigate, report, or prosecute those responsible for any such action. These next two are new. Data that is collected or used for purposes of the National Precursor Log Exchange or its equivalent. These are the pseudoephedrine checks that when you get pseudo fed over the counter, they run your ID so that information would be deemed not worthy of deletion. Or five sorry, six, processed solely in the data broker's capacity as a processor to a business with which the consumer has a direct relationship as that term is defined in this bill. And let me show you what that definition means. Okay. Direct relationship means that a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business's products or service. A consumer does not have a direct relationship with a business if the purpose of the consumer's engagement is to exercise a consumer right or for the business to verify the consumer's identity. A business does not have a direct relationship with a consumer simply because the business collects brokered personal information directly from the consumer. The consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with the consumer as to the brokered personal information the business sells about the consumer that it collected outside of a first party interaction with the consumer. Okay, that's the deletion language. Three, this is from the last draft, but I'm gonna read the
[Michael Marcotte (Chair)]: Sorry. That was already read.
[Rick Sable (Office of Legislative Counsel)]: Here we go. So, we're down to four and five. Four is previous language. That broken information retained due to Let's see. If they deny it due to one of the exceptions, it must be separated or segregated from data used for any other purpose, deleted immediately upon the expiration of the legal or contractual requirement, and not used, sold, shared, or processed for any other purpose. Okay, five is new. A data broker shall provide the consumer with the ability to appeal an instance where the data broker denies the consumer's request to delete their information as long as it gives the consumer forty five days after the consumer receives notice that the data broker has denied the deletion request, is conspicuously available to the consumer, is similar to the manner in which the consumer submits a deletion request through this bill, requires the data broker to approve or deny the appeal within forty five days after the date data broker receives the appeal and to notify the consumer in writing the data broker's decision and the reasons for the decision, Requires a data broker that denies a consumer's appeal to provide information that enables the consumer to contact the AG to submit a complaint. 6A is also new. If a data broker is unable to authenticate a deletion request, the data broker shall not be required to comply with the request and shall this is the deletion request. And shall provide notice to the consumer or their agent that the data broker is unable to authenticate the request. The data broker shall provide the consumer with the additional information the data broker requires in order to authenticate the consumer. As using the subdivision, authenticate means the use of reasonable measures to determine whether a deletion request is being made by or on behalf of the consumer who is entitled to exercise that request with respect to the brokered personal information at issue. And then you may remember the section some other changes to the statute. Section two is the study from the secretary of state's office about the deletion mechanism. You may recall that previous version of the bill actually required the state to provide that deletion mechanism and it was converted to a study. The only change are the dates at the very end. The interim report would be due 04/15/2027. The final report would be due 12/01/2028 to give them time to conduct that study. And then the interim report would provide the general assembly with recommended actions for the 2028 session. Okay. Questions about the changes or overall bill?
[Unidentified committee member]: So it looks like you got a little bit closer to where I was with the exceptions back up to the right Thank you. So I appreciate that, whoever was the best.
[Michael Marcotte (Chair)]: That was intentional. That
[Unidentified committee member]: being said though, there's direct relationships. So the direct relationship, can we go back up to the definition on that? If you don't mind going through that direct relationship again.
[Rick Sable (Office of Legislative Counsel)]: It means the consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business's products or services. A consumer does not have a direct relationship with a business if the purpose of the consumer's engagement is to exercise a consumer right or for the business to verify the consumer's identity. A business does not have a direct relationship with a consumer simply because the business collects brokered personal information directly from the consumer. The consumer must intend to interact with the business.
[Unidentified committee member]: So I think a consumer does not have the direct relationship with the business if the purpose of the consumer's engagement is to exercise consumer No, that's not what it is. Oh, a business does not have a direct relationship simply because the business collects broker. I got to think about this.
[Unidentified (multiple short interjections; diarization mix)]: It just sells.
[Michael Marcotte (Chair)]: Other questions for Rick?
[Unidentified committee member]: I'm not sure it does what I want it to do, but
[Rick Sable (Office of Legislative Counsel)]: I get a I get a look I get a look at it now. K. Don't hang around for a
[Herb Olson (Member)]: little bit in case questions. Okay. I think I believe it's two.
[Michael Marcotte (Chair)]: Yes. Oh, fuck. It's okay.
[Chris Delia (President, Vermont Bankers Association)]: Good afternoon, mister chairman, committee members. For the record, Chris Delia, president of Vermont Bankers Association.
[Unidentified (multiple short interjections; diarization mix)]: Appreciate the change in schedule across the hall of court.
[Chris Delia (President, Vermont Bankers Association)]: Page three eighty five in a few minutes. So in looking at this, I I just wanna offer some general comments and then get into the draft. And the general comments is I'm just trying to figure out how this fits into the broader discussions privacy, which you all have the yes bill, which I assume you'll be taking up off off the wall after crossover. Because this seems like you've got some components of a broader privacy bill in this bill, like the the legion sections. So I'm just trying to figure out the path, if you will, and how those ultimately reconcile themselves along the way. When I looked at this bill, just a few general flags, if you will. On page two, lines 10 through 12, you talk about biometric data, and in particular, digital or physical photography or an audio visual unless such data is generated to identify somebody. So I would just call your attention to the fact that we do have cameras in our branches. And for law enforcement purpose, we would turn specific videos or photos over to law enforcement so that they can help identify who that potential bank robber was. And we wouldn't want anything in your work to prohibit that use for us turning it over to law enforcement because the whole purpose is to identify somebody in those cases. Regarding On page five, line four, and this gets back to the question of direct relationship. I guess what I'm trying to understand there and reconcile is the fact that we have customer identification procedures, and we may use an entity that's not financial institution, but we have a relationship with to help us vet that data that we've gotten on the on the individual for customer identification procedures. That has to happen under ESA regulations, knowing your customer regulations. So I'm I'm still trying to understand how this interacts with that need that we have for identifying a consumer. The consumer has the direct relationship with us. We're trying to identify that consumer. They don't have that direct relationship with the entity that we're using who may have a it's a Grind database or something that we would be vetting. So I just wanna make sure we're not doing anything there that would or with us being able to do that. On page eight, lines 13 through 15, I'll watch the tape on the personally identifiable information and the name and first name request from DFR. I've been just thinking about it that a date of birth isn't anything unless it's linked to somebody. I could come up with random numbers to make it look like it's a Social Security number, but unless it's linked to a name, it doesn't mean anything. It's just random numbers. So, again, I'm I'm curious as to what the proposal from DFR is in this sense. On page 10, line one through three, and and I guess I should also step back and say, first and foremost, we don't fit within the definition of data broker, but these are just things that I'm flagging in the bill for consideration because who it's it's also who we work with to provide access to commerce and services. But on page, again, 10 lines one through three, precise geolocation, that obviously listen to all your conversations about concerns of geolocation, etcetera. And the issue that that I can see here is an IP address of where an individual is communicating with our website is a a form of geolocation if I can determine where they are. And in the context of fraud, that's very important. So for example, if all of a sudden my account is being pinged by an IP address over in Italy, that's gonna trigger something within the institution to say, are you in Italy conducting transactions? We're not. So it is of it is utilized as a fraud prevention tool, and I just, again, wouldn't wanna see any limitations on that from the perspective of valid uses. This is under, on page 14, data brokers maintaining reasonable procedures. And, specifically, I'm looking at the top of page 15, parenthesis two. And, again, I'm just trying to understand how this plays out. So we have a a data broker that we have a relationship with. The data broker does not have a relationship with our customers, so there isn't that direct relationship. And the data broker has to have policies and procedures to certify the information is sought, etcetera, for legitimate uses. So is this contemplating that when we are working with a data broker, we are going to be responding to the data broker in this certification process. It's not clear to me if that's intended or not because, again, everything that we are are anything that we collect from that data broker falls under all of our privacy regulations that we need to maintain and adhere to. So I'm just trying to figure out if this is setting up a system where if I go work with x y z company to help provide the service to the customer, do I need to communicate with x y z company the reasons why we have a legitimate need for the information or legal need for the information? Information. Notice a security breach. Look forward to your conversations because I I kind of had the same question in the back of my head as to the need for two systems. But the only thing I would just share with you as cautionary is the telephonic notice. And that is something that you may want to put a little more of a boundary around from the standpoint of what is the broker asking, if you will, if anything, of the individual. Fraud, as you know, we've had these conversations, is very active in the marketplace, and a tool that's used is the telephone to call the individual to say, hey. I'm x y z. I there's a problem with your information. Please provide me your information. And as soon as you do that, you've given x y z your data. And we always caution people when they get calls like that to be very mindful that it could be fraud. So it's one thing to I guess I'm trying to give you a heads up on a situation that you're gonna get a call from a data broker you've never heard of. And if they're asking you for information to con who you are, I think you're setting them up. You you're getting an opportunity for a fraudster out there to do something wrong more so than what they've got today. So I would just ask you to be mindful of that in the way that the data brokers communicate over the phone with the individuals. Now
[Michael Marcotte (Chair)]: I'm gonna jump to page,
[Chris Delia (President, Vermont Bankers Association)]: really, I guess, pages 31 through 33, if you will. And my comments here are really focusing again on we are not the data brokers, but we work with entities in the market that have data. And I'm still looking at this to make sure, and I I don't know if she never get there, but to make sure that we have accounted for business to business transactions when individuals are trying to seek products or services. And I'll just give you a quick example. If I years ago, we created the freeze unfreeze for credit reports. If I freeze my credit report and I forget about that and I go to buy a car, I'm gonna get to the dealer to fill the paperwork out and they're gonna say we can't do this because you gotta freeze on your report. Very easy to go back in and unfreeze the report. However, if we've created a situation where that individual who doesn't yet have a business relationship with an entity, but is going in to buy the car, and they've had they've put requests out there to have their data deleted. You I I don't know the method for recreating that data so the individual can then conduct the transaction that they wanna conduct. So part of it may be a premature deletion of data because they think that's the right thing to do, but they're not thinking about the ramifications of I need this in the business market, or I wanna do this with this entity, and my data's gone. So those are the concerns or or just an example of the concerns that I have. And and this is again, we're not the data broker. We feel comfortable with that here, but we work with entities that have data. And if that data doesn't exist, then consumers are not gonna be able to pursue the services that they're looking for. On page 33, in lines 10 through 12, for example, and this is this is under the category of a data broker may deny a request for deleting a data. It says, under, again, v I line 10, process solely in the data broker's capacity as a processor to a business in which the consumer has a direct relationship. Does that solely mean they're only processing for that business? Does that solely mean something else? In a data broker, I may have multiple clients out there, but I'm asking them to process something for the financial institution. So I don't know how that solely applies in the context of the ability of a consumer to eliminate the data. When you get into the other sections as far as study of the accessible data deletion method, no issues. How they file with the secretary of state, etcetera, no issues. Yeah. Our our concern is, again and I if I remember correctly, the individual from California stated it. And, again, this is why I go back to the question of how this fits into the bigger picture. California did their data minimization piece after they had the their comprehensive bill. And I think the individual from California said that, yes, you need to be mindful of the of the need out there and legitimate uses, for accessing data for commerce transactions that are out there. And that's why I continue to look those provisions that you've got on pages 30 through 33 to figure out are are they are they truly covering the depth and breadth of what you might have out marketplace? Or are there gaps that may create problems for consumers?
[Unidentified committee member]: Chris, Michael? Yes. If someone has an account and they pass away, how do banks reach out to what do they do with the account?
[Chris Delia (President, Vermont Bankers Association)]: If there's a beneficiary named on the account, then we would provide it to we would follow-up with a beneficiary on the account. So for example, my mother passed away, my brother and I were beneficiaries on the account. So as soon as my mother passed away, we were proactive in going into the bank, but if not, the bank would have contacted us. So what if the information is not accurate on the system that you have? You can run into a challenge.
[Unidentified committee member]: Would you would you tap into a data broker at that point?
[Chris Delia (President, Vermont Bankers Association)]: Mean, conceivably, we would wanna do some level of due diligence to identify what that deficiency is in a way to correct that deficiency to do either what's right under rules and regulations that we have to follow or what's been identified by the customer on the account. Yeah. It could be any number of steps that we may have to take relying on somebody that's outside of our institution.
[Unidentified committee member]: Would you tap into a data broker?
[Chris Delia (President, Vermont Bankers Association)]: Depending on where the information resides that we need to get, I could see where we might have to tap into the data,
[Unidentified committee member]: Okay, so under this bill, that would not be a direct relationship and they would relationship not have a
[Michael Marcotte (Chair)]: with the banks, correct?
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: They, you're assuming?
[Unidentified committee member]: The beneficiaries of the account.
[Chris Delia (President, Vermont Bankers Association)]: They have a relationship with the bank.
[Unidentified (multiple short interjections; diarization mix)]: Have to really think about that
[Chris Delia (President, Vermont Bankers Association)]: because they've been named on the account by mom. They've never Maybe they've. Gotta go back and think about what's gonna be the requirement to put a beneficiary on in the account because that beneficiary, I'm thinking, I can't remember if we have to provide if the beneficiary has to provide information to the bank. And if that's the case, then they've got the information that they're looking for. But in the event where that information didn't exist, there there isn't that direct relationship with the beneficiary. Again, if it didn't exist. And therefore, under this bill, it's problematic because we don't have that direct relationship.
[Unidentified committee member]: So in that case, let's say there's $10,000 in the bank account. You can't reach the beneficiary. What do you do?
[Chris Delia (President, Vermont Bankers Association)]: After a three year period, we're required to sheet that to the state of town as unclean property. And then it will sit out there as unclean property. And as the treasurer does on a regular basis, he puts information out to consumers, check the unclean property, and then I would go in and I'd say, oh, there's an account in my mother's name. And then I would follow-up the treasurer's office, and I would have to prove to the treasurer's office that I'm missus Delia's son to claim the property.
[Unidentified committee member]: I don't think many people check on clean property. I might be incorrect on that, but my guess is not too many people check it.
[Chris Delia (President, Vermont Bankers Association)]: And it's it would be a lot easier if you were able to to get correct information. Correct? I mean, we we would it would be easier and beneficial to the parties involved if we could get them there, in this case, the $10,000 sooner rather than waiting three years for the unknown of going to the state. If those circumstances can be resolved and we need to rely on a third party data broker to help us with that.
[Unidentified (multiple short interjections; diarization mix)]: And that's
[Rick Sable (Office of Legislative Counsel)]: a that's
[Unidentified committee member]: the kind of business that needs to be protected in this bill.
[Monique Priestley (Clerk)]: Chris, if you have time, I would love to go through this with you later when you have time, because we were attempting to hoping and thinking that this draft made it so there's exemptions for law enforcement, oh my god, words, fraud prevention, identity verification, and the Fair Credit Reporting Act. So that that is the intent to try to do things. So if if you're feeling like you're not doing, I would love to talk, like, work through it. Yeah. Yeah.
[Unidentified committee member]: I sit with you when you do
[Rick Sable (Office of Legislative Counsel)]: that. Mhmm.
[Chris Delia (President, Vermont Bankers Association)]: It could be a big tent with a number of people
[Unidentified (multiple short interjections; diarization mix)]: in that conversation.
[Michael Marcotte (Chair)]: Thank you.
[Chris Delia (President, Vermont Bankers Association)]: Yeah. I mean, I agree. You've attempted to deal with this in the exemptions. It's just I don't think we're gonna be able to account for every conceivable possibility that might come up. So I could see where we may have some issues out there. Time will tell.
[Unidentified committee member]: Is that Questions? I just wanna it's the the legitimate business that I'm concerned about. I really don't care about any of the other stuff. I mean, we'd even have a problem with like saying, all the data brokers are not allowed in the state of Vermont with access to web portals and stuff. But for a legitimate business, it's a real issue for me.
[Michael Marcotte (Chair)]: Questions? Hello, everyone. Yeah. Great. Thank you.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Good to see you all. David Hall, for your record, director of the business services division, secretary of state's office. Getting better at it. Well, I submitted some written testimony. While I've been sitting here, I updated it because everything I heard sparked some a few more points I hoped to make, and I shared that updated version. So if it's not on your website, I assume it will be at some point. I you told me your preference, but it seems like it'd be easier to look at the language together while I comment. Does that sound okay? So, I have a leapfing
[Michael Marcotte (Chair)]: switch. You
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: know, those grooves in my brain
[Michael Marcotte (Chair)]: are deep.
[Unidentified (multiple short interjections; diarization mix)]: We're all there.
[Michael Marcotte (Chair)]: So I think it should be logging in. Being live is fine. I need to turn off my okay.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: It's off. Alright.
[Michael Marcotte (Chair)]: Then I'm gonna share that draft.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Oh, good.
[Michael Marcotte (Chair)]: Here we are.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Be super helpful. I didn't need to set up my setup. You know, I've got two monitors plus my this is great. Thank you so much. So my comments, I guess I wanna frame in terms of what my division, what our office does at its core, which is receive and manage and then make available information, right? That's what we do. I think that's what our expertise is. What we don't do, or what I'm loath to do, is to cross a line over into being the people who do things about that information. And a lot of my testimony goes, in or is is is connected to that theme, I guess. The the first one the first point, it actually comes up a couple of times in the draft, and it's minor, but I I wanna point it out for your consideration. So online three here so we're we're right now, we're in the part of the bill that's talking about the stuff that the data broker needs to provide to our division when they register. And there's a whole slew of data points that'll come through. And then one of the
[Monique Priestley (Clerk)]: things is a link to a page in
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: the data broker's website that blah blah blah allows them to opt out of sharing and whatnot. And as a data point, I find totally with having that address be available as part of the package of data that they supply to us. If but if I my concern is if I read this literally, and if it's calling for us to have a live hyperlink embedded in our software or our system to an external party, There's a few concerns I have with that. One is that links break over time. And if we're looking at about 800 data brokers, inevitably some percentage will not work, and then they will not call the data broker or anybody else. They will call me and be like, the web page doesn't work.
[Michael Marcotte (Chair)]: So are you suggesting we put your phone number in
[Unidentified (multiple short interjections; diarization mix)]: there? Give me my direct line,
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: which I don't actually know what that is, but I think it's 6511. So here's what I'm suggesting is we just modify that slightly to say a web address. So it's the URL of where they're supposed to go. And if we can maintain that as a live link, I will. I mean, I'm not opposed to in theory, but my concern is that if I can't guarantee with my vendor that I have a reliable way to manage that, and to also the second part is ensure the safety that that link is not corrupted, then then I'm for it. If they say we can't safely do it because of our security parameters, then I'd like it to just be the URL address, but not a hyperlink. So that's a pretty simple one, I hope. So the next one I am flagging in my number two, I've couched it as clarifying intent concerning imposition and collection of fees for the failure to register. And that's on page 30, in line six through 13. So you'll see here, the data broker that fails to register as required by subsection A is liable to the state for an administrative fine of $200 a day, an amount equal to the fees that were due during the period, and any reasonable cost incurred by the state in the investigation and administrative action. I'm only flagging this because I just wanted to be in the record that we can definitely do current fees, we can do past fees. I'm pretty confident we can even collect back fees and that they can be calculated automatically by our system. We already do that for annual and biannual reports that are late by a number of years, we calculate how many years, it adds it up for you, it's very easy. But 1C, any of those costs of investigation administration, those would be AG costs. And they would have to collect those, and I don't know what that looks like. But our working assumption is that we'll have an MOU with them on how this all shakes out, and that's great. We have a great partnership with them. But I just wanted to flag for your awareness as you're constructing this and you think about how this is gonna work on the ground. There are certain automatic things that we will definitely be able to accomplish within the system. And then there are other things like this that will be them. And how that shakes out, again, I think will be pursuant to an MOU. But I wanted to put that there for you. Any questions or clarity needed on that? Is it okay? So
[Herb Olson (Member)]: is your concern about seeing that
[Unidentified (multiple short interjections; diarization mix)]: you don't know exactly what costs are?
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: No. My concern is just to manage the expectation that I'm not gonna be able to build the recovery of those costs into my system or into an administrative process on my side that the AGO will have to pursue those through whatever mechanisms they pursue them. And I assume that'll require Are some
[Herb Olson (Member)]: you looking at changing language? No.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: I just want everybody to know. Just flagging for your To be sure we're all like on the same page with expectations. Sorry, heard you in a little
[Rick Sable (Office of Legislative Counsel)]: slow. No problem.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Let me put that on the umbrella of managing expectations.
[Emily Carris Duncan (Member)]: I don't think there's a language change, because the state can be any state agency.
[David "Dave" Bosch (Member)]: That's right.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Yes, and in subsection E of this 2446, the AG's office was and is charged with enforcement. So I think that's pretty clean. I think that's sufficient. Sometimes it says administrative fine or administrative penalty, and that can be construed to be one side or the other. I think we're gonna map that out together. But that's sort of that line I'm drawing between the parts that we can handle and the parts that they would handle. So the other next one, my three is the amendment or registration information, and then process and duties concerning omitted information. So on page 30 here, line sixteen and seventeen, if you'll indulge me, I'm gonna read subdivision two to you. So a data broker that fails to provide all registration information required in sub A four of the section shall file an amendment that includes any omitted information not later than thirty days after receiving notice or notification of the admission from the Secretary of State and is liable to the state for a civil penalty of $1,000 per day for each day thereafter that the data broker does not file an amendment providing the omitted information. So there are several points I wanna make on this. The first one is this question of omitted information. And basically the way that we'll build this out is that all the stuff you told them to tell the state will be part of our online filing system, and they will have to provide a substantive response to it. And if they don't, they can't even check out. So it's highly unlikely that we're gonna know about an omission of that kind. Like you're not gonna answer the question, do you collect the data of minors? They have to respond or they can't finish. Now what they say, yes or no, and how they explain it is up to them. Which leads me to the second point, which is the omission probably is gonna come either from them realizing it or from some sort of public notice and complaint or from the AG in the process of an enforcement action realizing you didn't tell us such and such, that's separate and apart from the mandatory boxes we've got to fill out. So for all those reasons, I would request that you not predicate this duty to amend on getting notice from us and requiring us to discover something, because there are multiple ways by which that could be discovered. And we are the least likely to be the ones to discover it because, again, our system will require them to give us an answer. The other point I want this raises a bigger question, which is about amendments, and it's not explicit in the language. And I apologize, I missed this before. But we would really like it if you would add the duty to amend their registration information if something changes. And that will give us the authority to build an amendment workflow, and it'll give them the chance to change it. We run into this problem now where there is no amendment provision in the data brokers law. And they come back to us and say, we made a mistake, or we had more breaches that we wanted to update, and we have to tell them, frankly, there's no amendment. You just have to file a new registration. The problem maybe legislatively for you is that what I would also really want to see from you is a fee for an amendment that is not the $900 registration cost. So if you wanna just say, I don't care what, dollars 25, dollars 50 for an amended registration, something, anything, we want there to be a fee because it creates the friction of people not just coming in and changing things lightly. But we also don't want it to be in any way punitive. We just want it to be consistent with other filing types, which are all over the place, but we talked about that last year.
[Michael Marcotte (Chair)]: Go ahead, Joss.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: So, for this section that notification of the emission from a state, is that adequate? I actually suggested here, and I'm borrowing your device so you don't know. The omitted information would be not later than thirty days after discovery or receiving notification of the omission. So, from whomever it comes. If a diligent taxpayer comes and says, you said XYZ about your practice, but the policy that you uploaded didn't address what it was supposed to, then that's notice to the data broker, and and they should update the record from our perspective. And I and I yeah. So great question. I that's what my proposal I'm not wedded to the construct or the verbiage. You can do it every morning. I just don't want it to be only triggered or triggered at all by us having to affirmatively reach out and say, we noticed x y z, because this should be a self executing duty to have adequate, accurate information. I appreciate you putting on the record that I couldn't see.
[Michael Marcotte (Chair)]: That's right. That's the record of what?
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: I had already mentioned the the express duty to update registration information if it changes. I think the question of this $1,000 per day civil penalty after thirty days, who's going to collect that? What does that look like? Again, I think that's going to be the topic of how we do that with the AG's office. That may be something that we could do if we built the system to calculate days, but that would be based on a report by the data broker. So, I would be loath to do it that way. I'd prefer them to basically represent to the AG's office the date we discovered there was a problem, how many days were delinquent, what's the civil penalty, because that's really what the AG does. Covers Oh, so four is the next subsection. My point for collection of civil penalties and clarifying material incorrect information. Maybe I didn't even need to flag this one, but the lawyer in me is basically asking, well, what is material? What is material incorrect? Who's gonna decide that? Because that's kind of a big deal. That is a huge jump in the penalty structure from you just forgot to tell us something versus there's something materially incorrect. There's also a divide between just incorrect, you put the wrong address in and you didn't disclose your practice of collecting employment data. So I'm not saying, I'm not offering any suggestion to the language other than what's in my testimony, which is maybe it should be that same construct of either when you discover or you receive notice of some sort of problem. So correct material incorrect information not later than thirty days after discovering or receiving notification of the incorrect information. And then the rest I would leave to, I guess, to the AG's office to determine what's material, what penalties they face, but I just flag it. It gives them pause. Sometimes there's no way around that. We know it when we see it, what's material.
[Herb Olson (Member)]: Your Honor, it's material.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: I object. This is immaterial. Contact information for a data broker could be material. That could be a big deal. Or you tell us the wrong URL. That's a big deal. My fifth point, clarifying expectations for website information and SOS procedures. This pertains to page 35 subsection 2446d. I'm not other than the URL piece again, I'm not offering or recommending any specific changes. I just want the opportunity to explain to you a little bit what this would look like in the real world as far as, oh, I am recommending one change. So in D, again, here on page 35, consumer rights web page. So secretary of state shall create and maintain a publicly accessible page and website provides consumers with the following. So a downloadable spreadsheet of data brokers that are registered. We've already got that, that's great. All the information that they provide. And then the link to the page we've discussed, if you could see your way fit to look at an address. What I wanted to, the two points I wanted to make are, we really operate two different websites and business services. There's the Secretary of State's website itself, which has a whole section of our stuff where we explain what kinds of businesses we really like, what the requirements are for them, blah, blah, blah. And then the portal itself is where all of that is executed. So I just want you to know that the Secretary of State's website information pages would be where I would write all this stuff about what this bill does, what the rights are, etcetera. And then the execution of all that will be over in the portal. The downloading of the information, the searching for data brokers. So those will be bifurcated. And I assume that's okay with you, but I just wanted to be sure you're cognizant of that. I think it satisfies the letter of the law. Hope it satisfies your policy pursuit. What I would, d three, ask you to consider is this bit about an email or letter template. And my concern was only marginal the first time this language came through. But now that there is an appeals process and there's obviously a lot of bases by which a data broker may refuse to honor a request, or they may not be able to authenticate the requestor. What it tells me is that this process is going to be a lot of back and forth, and it's gonna be fact specific by consumer. There's gonna be a reason the request wasn't honored. It's gonna be different probably every time. And there's going to be a consumer who's upset and needs some sort of remedy, and only the data broker can can supply it. All that in the face of this charge in three, which tells us to prepare a template intended for a consumer to use to send to a data broker who has not deleted the consumer's brokered personal information. My concerns are twofold. The first is a form letter, a template is not gonna be sufficient because these will be fact specific, frankly, oppositional procedures or correspondences between data broker and consumer. And second, my division doesn't have the capacity, whether it's the expertise or the person power, to get sucked into a dispute like this. Do you know what I mean? I can see the public very much looking to us to act as their advocate, particularly if it's already reached the point that their request to delete their information was denied. And I'm really loath to be inserted into the request or the dispute process. And my fear is that the directive in D3 will put us right in the middle of it. So, I'm asking you, your policy choice, but I'd ask that we not be responsible for that. Questions?
[Herb Olson (Member)]: I understand what you're talking about, but this part of the webpage is sort of intended to give a consumer some understanding of what their eyes are, Or is that cutting somewhere else?
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: And that's and yes. The the information page, totally, a 100%. That's us, and we're cool with that on d one. Indeed. D d one, d two, as long as it's a a web address. 4, great. My only concern is 3.
[Michael Marcotte (Chair)]: Yeah. We're in
[Herb Olson (Member)]: that. Is there something that describes either generally or in detail what supervise rates are? I mean, they're trying to construct a request. Yeah. Yeah.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: I mean, the pages I envision it would have the information broken up into what does the state require them to disclose? What is the data broker's duty to allow you to opt out? How do you do that? And we would refer them to the website. We say each data broker's process probably going to differ, but generally here are the three elements your rights to request deletion. Here's what happens if they don't honor it and the timeframe for They have to tell you why. The right to appeal is forty five days, blah, blah, blah. I'm great to supply all that information. What I don't want to supply then is a form letter that says
[Herb Olson (Member)]: Yeah. No. I get that.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: You failed to do the thing. It doesn't say why. It doesn't say how long. It doesn't say what your gripe is. It doesn't address the facts of your situation in any way. I don't think it terribly advances the process with the data broker, and I think it gets us directly involved in a dispute.
[Unidentified committee member]: This consumer is going to assume your template is all they need.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: And when it doesn't work or what else or I don't this template doesn't work for me because they or what if they deleted my didn't delete my information because of x, y, and z? Should I still use this? Or I see that it says, blah, blah, blah, what really happened in my case was blah, blah, blah. And how many times does that happen? I don't know. Maybe five, but maybe 500. I don't know.
[Emily Carris Duncan (Member)]: So I hear and appreciate your concerns. I'm wondering if it might be remedied, because I think it still makes sense to give the consumers the information that they need in one place, at the same place where they would go to find this information. But might it make sense to have a couple of sentences that say the Secretary of State's office is not X, Y, and Z, but the Consumer Protection Agency, and here's their phone number, could support. Just want you to noodle on that.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Sure, no, I can noodle it. I am reluctant to volunteer them to also be the ones who get in the middle of a-
[Emily Carris Duncan (Member)]: Maybe they help create a form. Sure.
[Monique Priestley (Clerk)]: Let's process it and talk about it. Sure.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: I appreciate the
[Monique Priestley (Clerk)]: consideration. Did you have a number six too? Is this the study, or did you update that? There is a six Okay. Okay.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: In my notes. And the updated, I think, is already on there. So there's the points on this would I think when Lauren Hibbert, my deputy, was here last time on screen with you, She suggested that we would use an expert to do the study and that we would wanna hire somebody so that would require funding. And I didn't know if that was part of your conversation, so I just flag it. The second piece is about the cost. And as I've written in my written testimony, I don't have a CR from my vendor right now about what their estimate would be, but based on other work that we've you know, been floating based on legislative changes and others, can I think a reasonably estimate at least $50,000 $60,000 to for the change? Because the fees are increased, they are intended in part to cover that. That's fine. I I just I'm trying to build a record just to be perfectly honest with you that every time we change something, it definitely has a cost. And sometimes, you know, we'd be able to absorb that, but all of it, we definitely can't. So in this case, fees are increased great, correspond to the amount of work, wonderful. I do think it will take them at least four months to update the code to execute the build to go into UAT and have the flows tested, upload functionality. Just the reality of of the timeline. Maybe it's a little bit faster. The quote we received for the UCC API was four months, and that's a little bit more work. I'm building in some wiggle room here. So maybe three to six, three to five, something like that. So consequently, think it would be important to have the updates on our website be delayed enough to let us do that work. Because we wouldn't want to make a legal requirement that they can't satisfy yet. Right? So if you you said new year, new DB registration, I have no qualms about having that built and deployed by new year. So that is it. I'm done burning up your time.
[Emily Carris Duncan (Member)]: Questions for David? Thank you very much.
[Unidentified committee member]: Thank you all for having me. Let's go.
[Unidentified (multiple short interjections; diarization mix)]: You.
[Emily Carris Duncan (Member)]: The
[Monique Priestley (Clerk)]: order was updated because of Chris, so Hillary's last. So it's Jamie next. Jamie, would you join?
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Sorry. I have to take my son to the doctor. If you need me, an email will Thank you. Thank you.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Good afternoon, madam chair, members of the committee. My name is Jamie Fiume with Premier Piper here this afternoon on behalf of the American Property Casualty Insurance Association, which is the nation's largest and preeminent association for property casualty insurers, as you might have guessed by their name. Several 100 members of whom write all lines of PNC in Vermont, including auto homeowners, workers' comp, etcetera, both personal and commercial. And also on behalf of State Farm Insurance Company, which is the nation's largest property casualty company. Thanks for the opportunity to come in and speak to you this afternoon on H211. You may hear some similar themes to the testimony you heard from Chris earlier, but from an insurer's perspective, because there are some nuanced differences, but, still some similar lines. But it's important, so if you'll permit me, I may cover some ground we've already heard. Let me state at the outset that insurers are not data brokers, so we're not encapsulated by the definition either. Insurers do not treat PII as a commodity to be sold. However, insurers do access a lot of information, a lot of data, including from sources such as data brokers, in Vermont and elsewhere. This information is necessary from our perspective, whether it's generated on our own part or provided by others, to rate risks, price policies, to provide policyholder services such as importantly administer claims and process claims. You've heard about fraud. That's very important for insurers. In fact, there's a requirement in Vermont law that insurers develop a, you know, fraud plan and a mechanism, in terms of what to do to prevent, investigate, and respond to instances of fraud. The data that we collect is important in providing and compiling that information. So really, it's the access to information that is bringing me here this afternoon and the ability to continue to meet those policyholder needs. We're here, I think, as you heard before, also because, we are having some elements of privacy and access to information and protection of information through this bill and not a larger comprehensive privacy bill. As you know, California, for example, had the privacy bill, has exemptions for insurers, financial institutions, etcetera, to treat these purposes. And then their DELETE Act incorporates the privacy bill. So those exemptions flow through. Here, we've got a different dynamic. So we're kind of having a privacy discussion in addition to the DELETE Act discussion as well as some other changes. And I do want to recognize the steps that have been made through drafting and amendments that are trying to maybe encapsulate some of the services that I just described, but it's really difficult to try to envision or predict how an insurer's businesses on behalf of its policyholder might be impacted by either the existing exemption language or by a deletion, frankly. Because we are talking about privacy, let me briefly explain what is in place for insurers which are highly, highly regulated entities at the state level. Since 2001, inception of Brambley, the DFR has had a comprehensive regulation that the scope applies to nonpublic personal financial information as well as all non public personal health information. Requires notices to consumers about the policies, privacy policies of a company. And I think what I'd like to leave most importantly about this regulation is significantly, it requires an opt in by the consumer before a company can share any of their information with a nonaffiliated third party. That's a standard that is very high, in fact, very, very few states have that sort of standard. So, you hear comparisons among states on treatment of GLDA, please remember that our standard is already extremely high and requires that affirmative opt in by the consumer. There's also an accompanying regulation that, requires insurers to have standards for safeguarding, in other words, the software, and the platforms for safeguarding that info. We have our own regulation on record retention. Just a few years ago, a law was added to the statutes called the Vermont Insurance Data Security Law, which adds further sort of delineation and protections for personal information. And, like under GLBA, it extends to third party consultants or vendors those same obligations. So any kind of contract we enter into with such third parties makes it clear that they're protected pursuant to our protection standards, and they're not subject to further sharing. I think, as I mentioned, our biggest concern is the continued access to this information and in the absence of that, how might it impact our ongoing procedures and policies. Take the insurance policy by itself, it's a contract between the company and the policyholder. Within that contract is a duty to defend the policyholder in claims against it or in claims, to investigate those claims for legitimate purposes, for fraud. In other words, the insurer is acting as a fiduciary. They're stepping into the shoes of the policyholder to investigate these processes. Some of these claims can take years to develop and years to resolve. So we're worried about the lack, I think, of specificity in the bill on the tenure or length. We're worried about premature deletions that might somehow impact access to information that could put insurers, which have this regulatory scheme and obligations as fiduciaries, with regulatory consequences for failing to act in those dues at somehow risk or jeopardy. And so when I look at additional examples of how insurers use this sort of information, I mentioned legal obligations, regulatory inquiries, fraud investigations, law enforcement inquiries. Again, the deletion rules risk premature deletion from our perspective. I know that there is information or listed among the exceptions are for these instances, but again, what's to prevent a premature deletion? I think that is certainly an area that we want to focus on a little bit further. I mentioned the claims processing, that can include some sensitive information, privileged information that has to be preserved until cases are resolved. Use insurers' model all the time, both for rates that they submit to the department for review and approval in terms of modeling. Those often involve, first one, PII. And then, I could go on, but those are just a few. The concerns, again, with the language are: The bill fails to clearly define the scope and duration for retaining the data. No explicit protection for privileged and sensitive data. These are for existing uses. I want to raise a little bit the potential for impacting new business. Take, for example, auto insurance. Insurers will often use a data broker to obtain from DMV a three year record of the driver's history. That's granted through DMV to a broker through contract. I think, you know, it's through the federal drivers protection something, DPPA, I forget the name, also through DPPA are security notices, recalls, defects, etcetera. But insurers will order a few 100,000 MVRs a year at application, at renewal, to get an understanding of the risk that they're insured, and again, it's all about being able to price the policy to the risk to match that, and in the absence of that information, it has an impact on what that price might be, and an impact on the insurer's underwriting. I recognize the exception references the existing definition for existing business relationship, including access, accessing financial products. But does that include, say, an individual has asked for their information to be deleted as the data broker allowed to create a new file for that individual to pull the DMV we call them MVRs, the DMV MVR, motor vehicle record. You know, there is the exemption for FCRA, which is a little bit interesting wording, but, you know, doesn't have sort of the clear exemptions that insurers are used to seeing in whether it's a privacy law or even in the California Delete Act. And so because of that, you know, rather than trying to predict what that might be, I'm here to ask for a clear exemption for regulated entities, regulated insurance entities under DFR that receive this information so that we're not sort of putting at risk the continued access to the information. I mentioned the security that's in place now to protect the information to hopefully give you comfort that it isn't sort of the ability to sell or to further share the information downstream, it's for those insurance purposes internally and to be able to service those policies related to whether it's underwriting, whether it's related to claims processing, whether it's related to fraud prevention, etcetera. We just think it's the easiest way to accomplish that is through a clear exemption. So, I'm happy to answer some questions that you might have. I'm also happy to continue to work with the lead folks on this to see if we can address some of these I guess I'll call them gaps, I think, that in our minds exist. But I do again want to acknowledge that, you know, the language has come quite a ways, and I don't want to left that unsaid.
[Michael Marcotte (Chair)]: Questions for David?
[Herb Olson (Member)]: Herb? Yeah, so thanks, Jerry. Trying to remember what the GFR rule. This type of legislation and the rule, or is it more that you want to be able to have access to the information that would otherwise be information on the data?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: The latter, or otherwise might be subject to deletion and therefore not Correct.
[Herb Olson (Member)]: So it's not like there's anything inconsistent between that rule.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Is only that this bill doesn't really speak to the treatment. It speaks to the potential to delete it with the exceptions that are included.
[Herb Olson (Member)]: Yeah, I understand. You're looking at the impact.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: We're looking at the impact, exactly. And to not, again, we're not selling the information, we're not using it for purposes that generally aren't authorized or asked for by the consumer. But as I mentioned, some of this can hang for a long, long time, especially if claims are litigated, multi party claims, accessing everything what that exemption would look like? Sure. Yeah. Because, you know,
[Herb Olson (Member)]: exempt all regulated and just pregnancy is regulated by well, what does that mean in terms in practical matter, in terms of the slashing and misledged?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: I mean, that's it's a difficult one, and I've struggled with my clients as well. And I've we've, you know, fooled with it. I mean, I could even just read this that I think we've offered information. It would be an adding exemption. Collected, used, or disclosed by insurers subject to regulation under ground lease liability, and it's implementing regulations. I mean, so that is narrow and gets to it. Yeah.
[Herb Olson (Member)]: But I understand that because are you making exception to the deletion requirement specifically for the
[Michael Marcotte (Chair)]: deletion? Correct.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: And that's it. That's what this bill addresses. If we take up the Senate bill later on, I'll
[Herb Olson (Member)]: But how can phrase that? I mean, so the data broker is a tremendous one, and you create an exception on the consumer's ability to delete. But It's do you how do you how do you identify with specific information that you're trying to exempt. Yeah.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: I mean, that's information that the data broker would have and would only release it to us upon our request.
[Herb Olson (Member)]: Right. They probably have a lot of information. How do you distinguish between, the universe of information you have about that concern and information that you're looking for?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: It's the information that we would need, not to retract, we would need to be able to underwrite a policy, administer a policy, renew a policy.
[Herb Olson (Member)]: I'm just trying to think about that.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: To process the claims, to access medical information for injuries sustained in an accident, both first and third parties. Its ability to conduct actuarial models, rating models.
[Herb Olson (Member)]: But in that point, definitely, if you haven't gotten that, then the consumer really doesn't have a right deletion. I mean, it's it's it'll serve your insurance company purpose. Haven't seen what's left.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Well, this would be the deletion right wouldn't apply for insurance purposes. In other words, the data broker on the contract of the bill could deny the deletion request because of the insurance purposes. As well I.
[Unidentified (multiple short interjections; diarization mix)]: Think No. Go ahead.
[Monique Priestley (Clerk)]: Don't Jimmy, was just wondering, as far as the processor exemption that was really trying to get at, like, the the business use of was just wondering if you could speak to that at all. Just your thoughts of trying to navigate that and how this doesn't cover that.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Yeah. I'm a little concerned about new applications. I understand accessing, but if the information's already been deleted, are we allowed to open up as a data broker, are allowed to open up a new new file for that individual? We're very concerned about the lack of details on how long the tenure to be able to Like, for example, if we can use it under the existing customer relationship to administer blah blah blah blah, does the data broker know that they may need to hold on to that for ten years, twelve years? Could there be an inadvertent deletion request that's done sooner thereby not allowing us to have that information that we need? It's it's those areas. I understand you're trying to craft the to meet all scenarios that might come into play for various sectors, perhaps even including insurance. That's the struggle we're having with trying to predict that same scenario of how we need it. And from our perspective, the cleanest way to do that is a clear exemption.
[Monique Priestley (Clerk)]: It's related, if that's okay. Yeah, and thank you. Try to do all the things. I guess if you I'm not sure if you can speak to this, but I think what the trying to do an entity level under entities unregulated or under DFR, I can put in that email where I was trying to ask people to be more specific about business rules, had examples like things like if somebody takes out a loan, but then that information is sold that they took out a loan and they might be, you know, then that's sold to credit card companies that can use them to target credit card offers and that kind of stuff or student or like loans that were meant for student education financing that then those students start getting offers for different things. And I'm like, so there's certain valid uses where you want the student to able to take out the loan, but you don't necessarily want them to be all of a sudden marketed to by the entire different industries. As an example, but I think that happens in different cases. So to do the entity level under entities regulated by DFR is hard because it covers a lot of different entities.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Yeah, and I may get fired by my clients, but I don't think entity level for this bill isn't as important as it is for a larger privacy bill because we really are talking about the information that's coming. So when I say information collected, disclosed to regulated entities by DFR, that likely excludes some of the folks you're worried about.
[Monique Priestley (Clerk)]: Sure, Okay. I'll come to that. Thank you.
[Unidentified (multiple short interjections; diarization mix)]: So regarding car insurance,
[Unidentified committee member]: an insurer will reach out to a third party for like accidents, correct? Is a database for that?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Yep. DMV holds
[Unidentified committee member]: it. Oh, DMV holds it? Oh, okay. Never mind
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: DMV enters into contracts with entities, data brokers, to provide that information under permitted purposes under federal law, this federal GPPA that I mentioned, which includes driver records for insurance underwriting.
[Unidentified committee member]: So if a person knew who the data broker was at that time, could they request the delete of that record or not because
[Michael Marcotte (Chair)]: of the rules with NBR? If
[Unidentified committee member]: this person knew Like, for example, I'm shopping for insurance. I know I have, like, 10 car accidents on my record. Can I request to delete and then go get insurance? Which puts anti selection, right? And it gives me a better rate, but at the end
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: of the day, cost you all more. I don't, In this instance, the the the data broker. We'll have the MVR, but DMV is the holder of the record, so I don't think they could ask DMV to delete their their driving history. So your example Okay. So it's
[Unidentified committee member]: they go directly to DMP. Correct. And it's he's gonna say no.
[Michael Marcotte (Chair)]: Well, he's And that's
[Unidentified committee member]: what that's what I'm thinking. I don't I don't know if it's like that current. Like, for Hawaii, I think you have to I think it takes a couple of days to get that information. I might be wrong on that. But Well, I didn't all
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: I know is insurance companies will submit on a frequent basis data request to a data broker to approach DMV to get their three year driving record. Right. And we'll provide with that and what that looks like is part of the underwriting factors that go into pricing the trials.
[Michael Marcotte (Chair)]: What's the sort of requirement of the data broker that you contract with? They're required to hold their information. Oh, are they do they fall under the same laws that the insurance companies fall under? So are they or can they take this data that you're asking them to gather and then turn around and sell it? Yeah.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: That's I know something about the contract that DMV requires the parties to enter into, but I don't know enough to answer your specifics about, you know, I will I don't wanna assume or guess. I think it likely addresses permitted uses through the federal law and nothing beyond.
[Michael Marcotte (Chair)]: Think that's the crux of everything, is make sure that the data brokers want, either through insurance or through banking, that they're not able to turn around and sell that data that they've been asked to gather under these specific reasons. Emily?
[Emily Carris Duncan (Member)]: I guess following on that, does the insurance industry have specific data brokers that are insurance specific that they work with in order to gather that information?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: I know there are a few, yeah, that are
[Monique Priestley (Clerk)]: common. And then
[Emily Carris Duncan (Member)]: aside from that, do they kind of just gather data from all kinds of different data brokers that are not necessarily?
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: They may be there may be data brokers that have broad information. They may be other claims information. There may be data brokers that have health information. So yes, there likely are. But I don't know the specific universe. It's probably for, you know, efficient one entity going to DMV for two fifty insurance companies versus two fifty insurance companies going to DMV directly to get the MVR.
[Emily Carris Duncan (Member)]: Yeah, I definitely understand that. I just am trying to get my head around what the types of data brokers, because if there are some that have regulations that are pegged to your industry, does
[Michael Marcotte (Chair)]: that kind
[Monique Priestley (Clerk)]: of flow through the
[Emily Carris Duncan (Member)]: whole thing? Are there actual guardrails there or are they like
[Monique Priestley (Clerk)]: Right.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Yeah. And I do know, recall, again, on the contract, that those entities that do sign the contract with DMV convey the same restrictions to those that they also might share information through permitted purposes. So this may not satisfy your question you're trying to solve, but there is that two way flow of protections, at least from the insurance perspective.
[David "Dave" Bosch (Member)]: Here with me folks on this one, Our colleagues down the hall in judiciary are dealing with things related to criminal records, whether it should be sealed or expunged, which is the equivalent of deleting it or just not making it available to somebody without authorization. Is something like that technologically possible? Because it sounds like the information that is typically has to be deleted is the essential stuff that insurers, bankers, and other similar businesses need. So isn't it possible perhaps to keep that information, but put up a firewall so that it's not available to the public?
[Michael Marcotte (Chair)]: I think that's what they do now. Pretty sure, just remembering because we've had this discussion before that probably Dylan can help us. The company that D and B contracts with, the data broker that you contract with, that I remember right. That's all they do. And there are contractual agreements, pieces of contract that require them to keep this keep this data private. They can't turn around and sell it.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: No further downstream sharing. Exactly.
[Emily Carris Duncan (Member)]: Dave, just a little. I think if we were dealing with one entity that had the information, it might be different. But we're dealing with an industry of brokers, and to ensure that every single one of them I think the more gray we put in there, the harder it's going to be to enforce the law and to ensure that Vermonters' privacy is maintained. And so I think I love that thought. And if it was our court system, one in place that had all the information, that was a state agency, that we had some influence over, that's so different from this vast international industry that is collecting data and has so many different ways of getting data. So I think we should keep thinking on it, but I'm just not sure that it's apples to apples.
[Jamie Fiume (Primmer Piper, for APCIA and State Farm)]: Thanks again. I look forward to continue to work with you all as this Thank
[Unidentified (multiple short interjections; diarization mix)]: Thank you, mister chair. For the record, with Leone Public Affairs here today on behalf of Relics. Relics is a data broker and applicable applicable Relix companies qualify as data brokers and have been registered with the Vermont Secretary of State since, the data broker registration laws went into effect in in 2019. My testimony is gonna sound a lot like Jamie and Chris's, because when they spoke about the data brokers that they go to for, the information, in many cases, is company like Relics, and I'll give one example just to kind of paint that. Well, maybe two chairs indicated that data brokers act as the intermediary between DMV and and auto insurers for purposes of pulling that that new motor vehicle report.
[Dylan Giambatista (Leonine Public Affairs, for RELX/LexisNexis)]: Relics has a contract with DMV to do that. And and I think Jane Moon is accurate in representing that we're only are specific uses in that DMV DPPA agreement for what that data can be used for. We can't use it for other purposes. There's additional cybersecurity insurance requirements. It's fairly rigorous. And I would say that that extends when I get into some of the other aspects of my testimony to GLBA data. The other example is if anyone's ever logged into their financial institution and has gotten the questionnaire, what road did you live on when you were 17 years old? You gotta select it to make sure that it's actually, in fact, like Marcotte logging in. That's a LexisNexis. That's a relics product. And so when we talk about and really wanna take the time today to focus in on the deletions aspects of s h two eleven because it's really critical in our view that the deletion aspect not get in the way of that type of a service that protects consumers as they go to transact business in the marketplace. I wanna caveat my testimony by just saying that my client hasn't had the opportunity to fully review the latest draft of h two eleven, and so my comments are gonna be relatively high level. I'm happy to continue to work with the committee as you look through this. I'm gonna, you know, triple down on on what Amy said with respect to some of the interaction between H2 11 and an omnibus privacy bill. And I think the context again is that this bill largely, I think, is intended to look like the California Delete Act. California Delete Act was put in place after the CCPA was enacted and really intended based on my understanding that they'll kind of a technical gap in the deletion provision in CCPA. But California Delete cross references to the exemptions included in the underlying CCPA. And those are the same exemptions that you find in every state privacy law, Fair Credit Reporting Act, GLBA, DPPA, HIPAA, data level exemptions, and totally understand the concerns that have been raised around this table, over the years about entity level, exemptions, and opening up to some of the concerns that representative Blake Priestley has has outlined. I also wanna say at the outset, with respect to the changes of the definition of data broker, the how they file with the secretary of state, no issues. And so I kinda wanna hone in on the deletion aspects, of h, two eleven. And because we don't have an omnibus privacy law, expect the committee will take a look at that post crossover. I think it's really important that we get the different elements of h two eleven right. Looking at the deletion provisions in H2 11 and the approach taken, because it's not a data level exemption referencing GLPA, FCRA, and DPPA data, It's kind of a unique and novel approach, not one that we've seen in any other law. And so rather than adopting that data level exemption, it's really trying to kind of shoehorn in use case exemptions, and that raises some concerns from our perspective. And so our request to the committee today have been to to report those those data log exemptions. So and I do appreciate some of the additions that have been made as a recent draft as an attempt to try to get at those use case and legitimate business purposes. But I wanna walk through why I don't think that they kind of meet that need. First, I think the subsection C3A, the required by law language provision reads that a data broker may deny deletion requests where retention is required by law. That term implies a specific kind of identifiable legal command. And while those commands do exist in some of those federal statutes, compliance obligations extend beyond individual retention requirements. So maintaining an accurate consumer reporting system requires suppression lists, correction histories, audit trails, accuracy monitoring infrastructure, none of which is traceable to a single discrete thou shall retain command in each of those federal statutes. That's a question. So I'm looking at it's going to be subsection three C three a. I can get your page number. Yeah. So the deletion request doesn't just touch the records that are explicitly required to be retained, but it touches the compliance architecture around those records. And so when the AG or private entity evaluates whether the denial of a deletion request was lawful. The question that they're gonna ask is, was retention of this specific data element about a specific consumer required by law? And the ambiguity created by this language, I think, is a real challenge for for my client. And that's why it would be solved with a data level exemption for each of those federal privacy laws. It eliminates that ambiguity because those those laws have kind of a clear framework for how that data can be used, how is how it can be maintained, how it can't be used. They sort of set aside from the simple require language. The second subsection, I think, was added to try to address some of the concerns that were raised in C3B3. Three. And that's strictly necessary to fulfill a specific legal requirement by written contract. This provision has a couple of issues. First, it requires a written contract as a vehicle through which the legal application files flows. But a company's obligations under FCRA and GLBL is attached to a company directly by operation in federal law and not because a client contract passes through to them. So a company is or is not a consumer reporting agency or sorry. The GLDA covered service provider of what it by virtue of what it does, not by virtue of what the contract says is what is covered. And so if a client contract were terminated tomorrow, the federal compliance obligations would still remain even though contractual obligations still there. The word strictly, I think, imposes a necessity standard when it gets kind of challenging to satisfy and practice FCRI, for example. Compliance requires cross referencing historical data across consumer files, maintaining those suppression lists and preserving correction histories, none of which can be characterized as strictly necessary to fulfill one specific contractual obligation, even though they are unambiguously required under those those federal statutes. The practical effect of this is that a data broker invoking this exemption with a significant legal uncertainty about whether that retention practice kinda meets that that threshold laid out. Moving on to subsection c three b six. This is the process solely in the data brokers capacity as a processor language. The word solely, I want to hone in A company may not process consumer data exclusively as a processor for a single downstream client. It may maintain its own data assets, operate as a controller with respect to many of those assets, and simultaneously perform processing functions for financial institutions clients. And so in any given transaction, a Relic's company, for instance, might be acting both as a controller and a processor. And so the solely requirement means if a company has an independent data governance role, with respect to consumers' information, which it typically does, the exemption would be available to them. Taken together, those, three exemptions share a common kind of structural deficiency, their use case versus, data data regime based, and it will would require companies like Relix to to to demonstrate for each individual deletion request that each one of those narrow subset of specific additions applies to the specific data, at issue. And this is incompatible with the federal regulatory framework laid out in in those federal, privacy regimes. And that's why we would request that the committee come in, align the bill with California and include the data level exemptions for FCRA, GLPA, and DPPA. And I think just taking a step back, having watched a lot of the testimony over the past couple of months, including from regulatory actors in California, I haven't heard in that a concern that the exemptions that exist in the California Delete Act are creating a challenge for them with respect to consumer privacy. And so absent that being raised, I think we have concerns about the novel approach that's that's being taken in this bill. And so I may just may offer a couple of thoughts on path forward for the committee. I mean, I think the simplest in the context of this bill alone would be to align with the California delete acts by including those data level exemptions, not entity level exemptions, data level exemptions, for those privacy regimes. Alternatively, I think you could advance the elements of this bill, The changes to the definition of data broker, the reporting timeline all seem to make sense. And recognizing that you probably will turn your attention to S71, which does include a deletion mechanism, not just for data brokers, but for anyone new or any business who holds consumer data and have the deletion conversation in the context of a broader omnibus privacy build. The order of operations here is challenging. Appreciate that without having an economic privacy bill in place. And I think this conversation would be better suited to have in the context of that conversation. But absent that, Alignment California might be the right approach.
[Monique Priestley (Clerk)]: Dylan, do you have stuff in writing that I I've tried to take notes.
[Dylan Giambatista (Leonine Public Affairs, for RELX/LexisNexis)]: But Yeah. I will. Thank you. I can provide that. I just I wanted my client out to review. So Okay.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: It's data level or industry level, or is it legislation that blends them?
[Dylan Giambatista (Leonine Public Affairs, for RELX/LexisNexis)]: For the state privacy law landscape, I think there's a variety of different approaches. And I I see merits on both sides of the argument with respect to some of the challenges that have been raised from entity level exemptions. But in previous privacy conversations, including in this building, I think what we've learned from individuals and and advocates is that a data level approach is more protective because it doesn't cover an entire entity. And so that's why we were trying to respect that general line of thinking and suggesting that Active. You're more productive of? Of the consumer. Okay. Yeah. But this use case is we're having a hard time wrapping our heads around exactly how it play out, and the uncertainty and ambiguity there is a a real concern. For the reasons that Chris and Jean laid out in terms of if there is a if a data broker doesn't feel like they can reject a a deletion request or that they are obligated under the framework here to with the weak data, that does have downstream consequences to financial institutions and and insurers and others that use our services to kind of verify identity, prevent fraud, underwrite insurance policies. And I think we're trying to avoid that.
[Herb Olson (Member)]: Is your you sent in a statement, right? Yeah. I wanna
[Dylan Giambatista (Leonine Public Affairs, for RELX/LexisNexis)]: have my this is just my second scratch. That ends my point. Suggested amendment? Yeah. I can share the suggested amendment well in advance of the right testimony, but I have to
[Rick Sable (Office of Legislative Counsel)]: Oh, okay. Both.
[Michael Marcotte (Chair)]: Questions for Do? Thanks, Do. Thank you.
[David Hall (Director, Business Services Division, Vermont Secretary of State)]: Steve? I think Hillary
[Monique Priestley (Clerk)]: and Steve just swapped again.
[Michael Marcotte (Chair)]: Oh, okay. Hillary.
[Hillary Borcheting (Assistant General Counsel, Department of Financial Regulation)]: Remaining dynamic. Afternoon. Good afternoon, chairman, members of the committee. My name is Hillary Borcheting. I am an assistant general counsel at the Department of Financial Regulation. Thank you for this opportunity to speak today. I'm here today to testify in support of the change to the definition of personally identifiable information in section twenty four thirty and in support of the amendments in twenty four thirty five, the Security Breach Notice Act, as well as to talk additionally about the proposed change that didn't end up in this draft, which is to the enforcement mechanisms under the Security Breach Notice Act related to the department. I'll say at the outset that there's been lots of conversation today about the data broker provision and how that might impact regulated entities at the department. I am not prepared today to speak on that topic, but I will raise the issue with the department and the divisions, and we can provide additional context and insight if that would be helpful. As as background, the Security Breach Notice Act includes dual enforcement mechanisms. The office of the attorney general has comprehensive authority to receive reports about data breaches and to investigate and enforce each data breach. The department has concurrent authority with the Security Breach Notice Act related to entities that are licensed or registered with the department. Last year, the department reviewed 116 data breaches impacting 68,000 Vermonters, roughly, I should say. The amendments we support today are based on the department's on the ground experience investigating breaches and bringing enforcement actions when necessary. I wanted to briefly walk through the three most substantive changes, but at the end, feel free to ask questions about any of the changes we've proposed. Currently, the Security Breach Notice Act states that a breach occurs when there's been exposure I mean, this is a very rough a a rough summary, but exposure of personally identifiable information. And that information is defined as a consumer's first name and last name or first initial and last name in combination with one of the enumerated elements that we talked about a little bit during the walk through. Our concern is that we have had entities who have given preliminary breach preliminary notices to us and then said, actually, this wasn't a data breach because we lost someone's Social Security number, their bank account number, their mother's maiden name, and their birth date, but we didn't lose their name. I mean, this is I'm I'm hyperbolizing a little bit, but but the example is that you could lose multiple elements in combination on that list so long as you don't lose their name in connection with it, it wouldn't be considered a breach that would be reportable to the department or to the consumers that are impacted. And that was the concern that we were trying to mitigate here. There are other ways that other states have mitigated this, and I can talk through some of those if it would be helpful.
[Michael Marcotte (Chair)]: Do you want to hear what other states are? Yes. Sure.
[Hillary Borcheting (Assistant General Counsel, Department of Financial Regulation)]: There's one example from Georgia that I thought was helpful. They had essentially the same definition that we have in our existing law, but then they had a catchall provision at the end that said any of the data elements contained above when not in connection with the individual's first name or first initial and last name if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised. That might mitigate some of the concerns about the change being overly expansive. So I'd be happy to send that language over if that would be helpful.
[Rick Sable (Office of Legislative Counsel)]: Yeah. I think it would be. Yeah. Thank you.
[Hillary Borcheting (Assistant General Counsel, Department of Financial Regulation)]: The the second amendment that I would talk about is the HIPAA exemption provision. The Security Breach Notice Act exempts some breaches related to HIPAA data from compliance with our rule, and this is based on the rationale that they have existing compliance under HIPAA, which is reasonable. However, failure to notify the AGO and DFR of these breaches has prevented the AGO and DFR from being able to understand the scope of exposure to Vermont consumers to make sure that those consumers have information to be able to respond if we get complaints from consumers. So, this amendment would continue to permit these entities to comply with HIPAA notice requirements as they relate to consumers, but will provide the AGO and DFR with an opportunity to make sure those notices actually happened, and also make sure that we have sufficient information if consumers reach out to our different departments asking for questions about breaches. The third amendment that I was going to focus on is the one that isn't contained in the current draft, and this is a change to the enforcement authority of the department. Right now, the security breach notice act reads that any entity regulated by the department has to report a breach to the department, But the department only has authority to investigate and enforce breaches related to entities that are licensed or registered with the department. This creates a not quite perfectly overlapping Venn diagram where entities that are should be licensed by the department but have been conducting unlicensed activity, we can't investigate or enforce against those entities. Also, entities that are SEC registered entities and just notice file with the state, We can receive notices from them, but we can't investigate or enforce if there's a breach under the act. And so what this amendment is doing is attempting to close that and make it a perfectly overlapping Venn diagram. And those were the the primary changes that I wanted to address today, and show support for. But if you have any questions or you'd like to talk about anything else, I'm happy to stay on.
[Michael Marcotte (Chair)]: Thank you, Hillary. Thank you for sending that over to us.
[Monique Priestley (Clerk)]: Thank you.
[Herb Olson (Member)]: Steve?
[Michael Marcotte (Chair)]: No? No. It's young, the old, shop. We never join. Okay. So that is it for witnesses for today. Tomorrow, 09:00, we're here from our legislative interns. We'll be coming off the floor tomorrow morning, H2 11, and then we're looking at H3 5 tomorrow afternoon to wrap up our weekend wrap up time before we go on a little hiatus. 02:05 Eastern. So we're delaying two legislative days on 02/2005.
[Herb Olson (Member)]: Okay.
[Michael Marcotte (Chair)]: '2 or three? Two. Two. So Tuesday. Tomorrow and okay. Right. Zach, do you want us to testify today or do you want
[Unidentified (multiple short interjections; diarization mix)]: to wait till tomorrow? Am I the only one this morning tomorrow?
[Monique Priestley (Clerk)]: No, no, there's less work tomorrow.
[Unidentified (multiple short interjections; diarization mix)]: Okay, then
[Monique Priestley (Clerk)]: I'll probably think I
[Unidentified committee member]: guess we'll wait till tomorrow. Okay, that's fine.
[Michael Marcotte (Chair)]: I think that ends our day today. We're on the floor at 03:30. Tomorrow, 05:12 will come up. And
[Rick Sable (Office of Legislative Counsel)]: I think
[Michael Marcotte (Chair)]: the reason why it's been on notice for two days is because it's a short form bill, so it has to sit on the calendar for two days in case anyone's wondering. So, any questions, committee?