Page tree

 

 

 

VERMONT PERSONAL INFORMATION PROTECTION COMPANY

A Background Summary

May, 2019

 

1.                  Background

As part of its FinTech/Blockchain initiative in the 2018 session, the Vermont Legislature adopted Act 205 (originally S. 269).  This law contained a number of initiatives, among them a provision that creates the possibility of a voluntary election by an entity to register as a Personal Information Protection Company (“PIPC” – pronounced “pipcee”).  A copy of these provisions, excerpted from Act 205, is set out at the end of this Background Summary

 

The law’s primary goal is to establish a type of regulated company that will be required to put the interests of the consumers providing personal information to it first and in front of the interests of the PIPC itself.  This legal approach differs from the prevailing means of dealing with personal information through “contracts” between the consumers providing information and the entities receiving it.  These contracts can be long and complex, generally slanted toward the company, and with scant awareness on the part of consumers of their provisions.  By creating a different framework, where persons providing information to PIPCs have assurances through statute and regulation as to the proper use of their personal information, Vermont offers a legal a “gold standard” for proper treatment for consumers and third parties dealing with a PIPC.

 

Under the PIPC legislation, personal information is defined as data capable of being associated with a particular natural person, such as gender identification, birth information, biometric records, government identification designations and personal histories. A PIPC is defined as a company that accepts personal information pursuant to a written agreement to provide personal information protection services.  Personal information protection services consist of receiving, holding and managing the disclosure or use of personal information pursuant to a written agreement and in the best interests and for the protection and benefit of the consumer. 

 

A PIPC is required to develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards sufficient to protect personal information, which may but does not have to include blockchain technology. 

 

PIPCs are authorized to operate through remote interaction with individuals inside and outside of Vermont.  PIPCs are authorized to provide elements of personal information to third parties with whom the individual seeks to have a transaction, service relationship or other particular interaction.  PIPCs are required to qualify to conduct business under rules to be adopted by the Vermont Department of Financial Regulation (“DFR”).  It is anticipated that the DFR will solicit substantial input as to those rules from businesses already active in this business area.  Until such rules are adopted, a potential PIPC can apply to the DFR under the statute, as discussed below, and, to a large degree, to develop its own approach to the PIPC requirements.

 

2.                  Seeking the PIPC Election

Although we understand that the DFR is considering possible regulations, it has yet to adopt any specific regulatory provisions following up on the PIPC legislation.  The DFR has promulgated an application form, a copy of which is attached to this Background Summary. This application has six parts:

Part I – Applicant Data

Part II – Overview

Part III – Management

Part IV – Financials

Part V – Information Systems

Part VI – Other

 

At a general level, the information requests reflect both the statutory disclosure mandates and the DFR’s history as a regulator of financial institutions. The specific information requested can be seen in the attached form. The requested disclosures are relatively extensive, but do not appear to be unexpectedly onerous.

 

3.                  Implications of the PIPC Status

 

While the PIPC status would constrain the operations of a registered entity, the upside of PIPC registration for a company holding personal data would be the powerful assurance that the data collected would be handled with appropriate and defined standards of confidentiality and data protection.  This can provide a marketing advantage, a solution to international regulatory concerns, and a commitment to treating consumers with heightened care and respect.

 

One possible application of a PIPC would be to design a data regime that mirrored the requirements of the European General Data Protection Regulation (“GDPR”).  Compliance with the GDPR is a significant concern for many data-holding entities.  A US company with a European presence could develop an approach to data use and storage that satisfies the GDPR and register the approach under the PIPC framework in the US.  This would give the company’s procedures a level of legal obligation that could be useful in standardizing operations across its international activities, as well as a means for providing assurance of governmentally-supervised internal rules to European regulators.

 

It should be noted that the PIPC framework does not have to be an “all or nothing” election for an enterprise.  It should be possible for a data-collecting company to establish the PIPC approach for a subsidiary handling a portion of its business, perhaps offering it as a premium treatment.  Also, a PIPC need not be a corporation or even a for-profit business.  The statute is agnostic as to the form of the PIPC entity, and PIPC status could potentially be granted to an LLC, a non-profit, a co-op, or any other recognized form of legal entity.

 

 

4.                  Further Information

For further information, please contact:

 

Oliver Goodenough, Special Counsel

ogoodenough@gravelshea.com

 

or

 

David Thelander, Special Counsel

dthelander@gravelshea.com

 

Gravel & Shea PC, 76 St. Paul Street, 7th Floor, Burlington, VT 05402-0369 | P 802.658.0220 | F 802.658.1456

 


EXCERPT FROM ACT 205

* * * Personal Information Protection Companies * * *

 

Sec. 2. 8 V.S.A. chapter 78 is added to read:

 

CHAPTER 78. PERSONAL INFORMATION PROTECTION

COMPANIES

 

§ 2451. DEFINITIONS

 

As used in this section:

 

(1) “Personal information” means data capable of being associated

with a particular natural person, including gender identification, birth

information, marital status, citizenship and nationality, biometric records,

government identification designations, and personal, educational, and

financial histories.

 

(2) “Personal information protection company” means a business that

is organized for the primary purpose of providing personal information

protection services to individual consumers.

 

(3) “Personal information protection services” means receiving,

holding, and managing the disclosure or use of personal information

concerning an individual consumer:

 

(A) pursuant to a written agreement, in which the person receiving

the individual consumer’s information agrees to serve as a personal

information protection company, and which specifies the types of personal

information to be held and the scope of services to be provided on behalf of the

consumer; and

 

(B) in the best interests and for the protection and benefit of the

consumer.

 

§ 2452. PERSONAL INFORMATION AS THE SUBJECT OF A

FIDUCIARY RELATIONSHIP

 

A personal information protection company that accepts personal

information pursuant to a written agreement to provide personal information

protection services has a fiduciary responsibility to the consumer when

providing personal protection services.

 

§ 2453. QUALIFIED PERSONAL INFORMATION PROTECTION

COMPANY

 

(a) A personal information protection company shall qualify to conduct its

business under the terms of this chapter and applicable rules adopted by the

Department of Financial Regulation.

 

(b) A person shall not engage in business as a personal information

protection company in this State without first obtaining a certificate of

authority from the Department.

 

(c) A personal information protection company shall:

 

(1) be organized or authorized to do business under the laws of this

State;

 

(2) maintain a place of business in this State;

 

(3) appoint a registered agent to accept service of process and to

otherwise act on its behalf in this State, provided that whenever the registered

agent cannot with reasonable diligence be found at the Vermont registered

office of the company, the Secretary of State shall be an agent of the company

upon whom any process, notice, or demand may be served;

 

(4) annually hold at least one meeting of its governing body in this

State, at which meeting one or more members of the body are physically

present; and

 

(5) develop, implement, and maintain a comprehensive information

security program that contains administrative, technical, and physical

safeguards sufficient to protect personal information, and which may include

the use of blockchain technology, as defined in 12 V.S.A. § 1913, in some or all

of its business activities.

 

§ 2454. NAME; OFFICE

 

A personal information protection company shall file with the Department

of Financial Regulation the name it proposes to use in connection with its

business, which the Department shall not approve if it determines that the

name may be misleading, likely to confuse the public, or deceptively similar to

any other business name in use in this State.

 

§ 2455. CONDUCT OF BUSINESS

 

(a) A personal information protection company may:

 

(1) operate through remote interaction with the individuals entrusting

personal information to the company, and there shall be no requirement of

Vermont residency or other contact for any such individual to establish such a

relationship with the company; and

 

(2) subject to applicable fiduciary duties, the terms of any agreement

with the individual involved, and any applicable statutory or regulatory

provision:

 

(A) provide elements of personal information to third parties with

which the individual seeks to have a transaction, a service relationship, or

other particular purpose interaction;

 

(B) provide certification or validation concerning personal

information;

 

(C) receive compensation for acting in these capacities.

 

(b) An authorization to provide personal information may be either

particular or general, provided it meets the terms of any agreement with the

individual involved and any rules adopted by the Department of Financial

Regulation.

 

§ 2456. FEES; AUTHORITY OF DEPARTMENT

 

(a)(1) The Department of Financial Regulation shall assess the following

fees for a personal information protection company:

 

(A) an initial registration fee of $1,000.00, which includes a

licensing fee of $500.00 and an investigation fee of $500.00;

 

(B) an annual renewal fee of $500.00;

 

(C) a change in address fee of $100.00.

 

(2) The Department shall have the authority to bill a personal

information protection company for examination time at its standard rate.

 

(b) In addition to other powers conferred by this chapter, the Department

shall have the authority to review records, conduct examinations, and require

annual audits of a personal information protection company.

 

§ 2457. REPORTS; RULES

 

(a) The Department of Financial Regulation may prescribe by rule the

timing and manner of reports by a personal information protection company to

the Department.

 

(b) The Department may adopt rules to govern other aspects of the

business of a personal information protection company, including its

protection and safeguarding of personal information and its interaction with

third parties with respect to personal information it holds.

 

Sec. 3. IMPLEMENTATION; REPORTS; RULES

On or before January 15, 2020, the Department of Financial Regulation

shall submit to the House Committee on Commerce and Economic

Development and the Senate Committee on Economic Development, Housing

and General Affairs a progress report that addresses:

 

(1) the implementation of Sec. 2 of this act; and

 

(2) the status of rulemaking pursuant to its authority under 8 V.S.A. § 2457.

APPLICATION FORM FOR PERSONAL INFORMATION PROTECTION COMPANY CERTIFICATE OF AUTHORITY

Note: The following form has been re-formatted from PDF for inclusion with this summary.

 

Page 1 of 7

STATE OF VERMONT

DEPARTMENT OF FINANCIAL REGULATION

89 Main Street, Montpelier, VT 05620-3101

(802) 828-3307

 

APPLICATION FOR PERSONAL INFORMATION PROTECTION COMPANY

CERTIFICATE OF AUTHORITY

Vermont Statutes Annotated, Title 8, Chapter 78

 

INSTRUCTIONS : All questions must be answered with complete and accurate information that is

subject to verification. If the answer is none, not applicable, or unknown, so state. Answers of

unknown should be explained. The questions in the application are not intended to limit the

Applicant's presentation nor are the questions intended to duplicate information supplied on another

form or in an exhibit. For such information, a cross reference to the information is acceptable. Any

such cross-reference must be made to a specific cite or location in the documents, so the information

can be located easily. Supporting information for all relevant factors, setting forth the basis for

Applicant's conclusions, should accompany the application. The Vermont Banking Division

(“Division”) may request additional information.

 

This application form collects information that the Division will need to evaluate a personal

information protection company application. While most of the information will be available when

the organizers submit the application, some information may not be available at that time. For any

question about when to submit a specific item, organizers should contact the Division to discuss the

specific timing for submission. The Division must consider the requirements set forth in the statute,

as well as applicable regulatory requirements, when acting on this application. For additional

information regarding these statutory and regulatory requirements, as well as processing procedures

and guidelines and any supplemental information that may be required, please refer to chapter 78 in

Title 8, Vermont Statutes Annotated. The Applicant may contact the Division directly for specific

instruction.

 

Electronic Submission

In addition to an original application and the appropriate number of signed copies, the Division

would like to have an electronic copy of the information in the application, especially of the business

plan’s financial projections. Submission of an electronic copy is voluntary. The electronic copy may

be provided on a flash drive or similar, using common word processing and spreadsheet software.

For e-mail submissions, contact the Division for instructions and information about secure

transmission of confidential material.

 

Confidentiality

Any Applicant desiring confidential treatment of specific portions of the application must submit a

request in writing with the application. The request must discuss the justification for the requested

treatment. The Applicant's reasons for requesting confidentiality should specifically demonstrate the

harm (for example, loss of competitive position, invasion of privacy) that would result from public

release of information (1 V.S.A. § 317). Information for which confidential treatment is requested

should be: (1) specifically identified in the public portion of the application (by reference to the

confidential section); (2) separately bound; and (3) labeled Confidential. The Applicant should

follow the same procedure when requesting confidential treatment for the subsequent filing of

supplemental information to the application.


Page 2 of 7

 

APPLICATION FOR PERSONAL INFORMATION PROTECTION COMPANY

CERTIFICATE OF AUTHORITY

Vermont Statutes Annotated, Title 8, Chapter 78

 

This application must be typed

 

PART I - APPLICANT DATA

 

The proposed name of the company is:

_________________________________________________________

 

 

The proposed main office location of the company:

_________________________________________________________

(Street Address)

_________________________________________________________

(City, State, Zip Code)

_________________________________________________________

(Telephone Number)

 

 

The proposed Vermont location of the company:

_________________________________________________________

(Street Address)

_________________________________________________________

(City, State, Zip Code)

_________________________________________________________

(Telephone Number)

 

 

Individual to be contacted with respect to this application:

_________________________________________________________

(Name & Title)

_________________________________________________________

(Street Address/P.O. Box)

_________________________________________________________

(City, State, Zip Code)

_________________________________________________________

(Telephone Number)

_________________________________________________________

(E-mail Address)


Page 3 of 7

 

Individual to serve as Vermont registered agent with respect to this application:

_________________________________________________________

(Name & Title)

_________________________________________________________

(Street Address/P.O. Box)

_________________________________________________________

(City, State, Zip Code)

_________________________________________________________

(Telephone Number)

_________________________________________________________

(E-mail Address)

 

PART II – OVERVIEW

 

(a) Provide a brief overview of the application. The overview should describe the primary purpose of the company and a description of the personal information protection services, including how the company will receive, hold, manage, disclose, and use the consumer’s personal information.

 

(b) Describe any issues about the permissibility of the proposal with regard to applicable state or

federal laws or regulations. Identify any regulatory waiver requests and provide adequate

justification.

 

(c) When available, provide a copy of all public or private offering materials and the proposed form of stock certificate, including any required restrictive legends.

 

(d) Provide a copy of the proposed organizational documents, including articles of association,

articles of incorporation, or charter, and proposed bylaws or operating agreement.

 

(e) Provide a copy of the business plan.

 

PART III – MANAGEMENT

 

(a) Provide a description of the proposed ownership of stock, e.g. widely distributed or closely held. Include proposed amounts to be owned by organizers, proposed directors, officers and their families.

 

(b) Provide a list of the incorporators/organizers, proposed directors, senior executive officers, and any individual, or group of proposed shareholders acting in concert, that will own or control 10 percent or more of the company’s stock. For each person listed, attach an Interagency Biographical and Financial Report and Authority to Release Information form, and indicate all positions and offices currently held or to be held with the applicant’s holding company and its affiliates, if applicable. Include the signed “Oath of Director” for each proposed director.

 

(c) Describe each proposed director’s qualifications and experience to serve and oversee

management’s implementation of the business plan. Describe the extent, if any, to which directors or major stockholders are or will be involved in the day-to-day management of the applicant. Also list the forms of compensation, if any.


Page 4 of 7

 

(d) Provide a list of board committees and members.

 

(e) Describe any plans to provide ongoing director education or training.

 

(f) Describe each proposed senior executive officer’s duties and responsibilities and qualifications and experience to serve in his/her position. If a person has not yet been selected for a key position list the criteria that will be required in the selection process. Discuss the proposed terms of employment, including compensation and benefits, and attach a copy of all pertinent documents, including an employment contract or compensation arrangement. Provide the aggregate compensation of all officers.

 

(g) Describe any potential conflicts of interest.

 

(h) Describe any transaction, contract, professional fees, or any other type of business relationship involving the applicant, the holding company, and its affiliates (if applicable), and any organizer, director, senior executive officer, shareholder owning or controlling 10 percent or more, and other insiders. Include professional services or goods with respect to organizational expenses and premises and fixed asset transactions. (Transactions between affiliates of the holding company that do not involve the applicant need not be described.)

 

1) State whether the business relationship is made in the ordinary course of business, is made on substantially the same terms as those prevailing at the time for comparable transactions with non-insiders and does not present more than the normal risk of such transaction or present other unfavorable features.

 

2) Specify those organizers that approved each transaction and whether the transaction was disclosed to proposed directors and prospective shareholders.

 

3) Provide all relevant documentation, including contracts, independent appraisals, market valuations, and comparisons.

 

PART IV – FINANCIALS

 

(a) Submit pro forma financial statements for the proposed personal information protection company on opening day and year-end for the first three years of operation. Also include a detailed projection of earnings and expenses for the first three years of operation.

 

PART V – INFORMATION SYSTEMS

 

(a) Provide the company’s comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information.

 

1) State whether the applicant plans to market its products and services (the ability to do

transactions or account maintenance) via electronic means. If yes, specifically state the

products and services that will be offered electronically.

Page 5 of 7

 

2) Outline the proposed or existing information systems architecture and any proposed changes

or upgrades. The information should describe how: (a) the information system will work

within existing technology; (b) the information system is suitable to the type of business in

which the applicant will engage; (c) the security hardware, software, and procedures will be

sufficient to protect the applicant and the consumer’s personal information from unauthorized

tampering or access; and (d) the organizers and directors will allocate sufficient resources to

the entire technology plan.

 

3) Provide lists or descriptions of the primary systems and flowcharts of the general processes

related to the products and services. The level of detail in these system descriptions should be

sufficient to enable verification of the cost projections in the pro formas .

 

4) Estimate the start-up budget for the information systems related to the products and services

and the expected annual operating and maintenance costs (including telecommunications,

hardware, software, and personnel).

 

5) Describe the physical and logical components of security. Describe the security system and

discuss the technologies used and key elements for the security controls, internal controls,

and audit procedures. Discuss the types of independent testing the applicant will conduct to

ensure the integrity of the system and its controls.

 

6) Describe the information security program that will be in place to comply with guidelines for

safeguarding customer information and all applicable laws and regulations.

 

7) Describe the company’s audit plan.

 

PART VI – OTHER

 

(a) List all activities and functions, including data processing, that will or may be outsourced to third parties, identifying the parties and noting any affiliations. Describe all terms and conditions of the vendor management activities and provide a copy of the proposed agreement or SSAE16 reports when available. Describe the due diligence conducted and the planned oversight and management program of the vendors’ or service providers’ relationships.

 

(b) List all planned expenses related to the organization of the applicant and include the name of

recipient, type of professional service or goods, and amount. Describe how organization expenses will be paid.

 

(c) Provide evidence that the applicant will obtain sufficient fidelity coverage on its officers and

employees to conform with generally accepted practices.

 

(d) Provide the company’s written agreement, in which the company upon receiving the individual consumer’s information agrees to serve as a personal information protection company, and which specifies the types of personal information to be held and the scope of services to be provided on behalf of the consumer; and in the best interests and for the protection and benefit of the consumer.

 

(e) Provide a copy of management’s policies and procedures.(f) Submit proposed fee schedule for the services.


Page 6 of 7

 

(g) Provide any information related to a website presence, including the website address, and

usernames/handles for any social media presence.

 

(h) Provide a copy of any authorization form, specific or general, that will be used to authorize the

provision of consumer’s personal information to third parties.

 

CERTIFICATION

 

We, the organizers, certify that the information contained in this application has been examined

carefully and is true, correct, and complete, and is current as of the date of this submission. We also

certify that any misrepresentations or omissions of material facts with respect to this application, any

attachments to it, and any other documents or information provided in connection with the

application for the organization of the proposed personal information protection company may be

grounds for denial or revocation of the charter, or grounds for an objection to the undersigned as

proposed director(s) or officer(s) of the proposed personal information protection company, and may

subject the undersigned to other legal sanctions. We request that examiners be assigned to make any

investigations necessary.

 

We acknowledge that approval of this application is in the discretion of the Commissioner of the

Vermont Department of Financial Regulation. Actions or communications, whether oral, written, or

electronic, by the Department or its employees in connection with this filing, including approval of

the application if granted, do not constitute a contract, either express or implied, or any other

obligation binding upon the Department, or any employee of the Department. Such actions or

communications will not affect the ability of the Department to exercise its supervisory, regulatory,

and examination powers under applicable law and regulations. We further acknowledge that the

foregoing may not be waived or modified by any employee of the Department.

 

It is understood that the Commissioner, in applying the factors set out in Vermont statutes, will

consider the application only with respect to the general character or type of business stated and that

the personal information protection company will not engage in any other business without the prior

written consent of the Commissioner.

 

It is further understood that the personal information protection company will not become effective

(a) until the proposed personal information protection company has been incorporated and

authorized do business under the laws of Vermont, (b) until the board of directors of the personal

information protection company has adopted a resolution ratifying and confirming this application

with supporting information, (c) until the personal information protection company has fulfilled such

requirements, if any, as the Commissioner may impose as a condition of its approval of this

application, and (d) until the personal information protection company has received the

Commissioner’s certificate of authority to commence business.

 

An applicant shall file with the Commissioner within 30 business days notification of any material

changes in information provided in an application.

 


Page 7 of 7

 

Please complete for each board member. Use multiple pages as needed. Each page must be

notarized separately.

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

Typed name and address Signature

_______________________________________ ______________________________________

_______________________________________

_______________________________________

 

State of ______________) (Seal)

County of ____________)

On the ______ day of ___________________ in the year _________ , before me

personally appeared

_________________________________________________________________________________

_________________________________________________________________________________

____________________________________________ to me known, who being duly sworn

according to law, did depose and say that they have read, signed, and know the contents of the

foregoing application, including attached documents, and that the statements contained in the

application and attached documents are true and complete to their best knowledge and belief.

 

___________________________________________

(Notary Public)

 

Commission Expires _________________________