§ 2453. Qualified personal information protection company
(a) A personal information protection company shall qualify to conduct its business under the terms of this chapter and applicable rules adopted by the Department of Financial Regulation.
(b) A person shall not engage in business as a personal information protection company in this State without first obtaining a certificate of authority from the Department.
(c) A personal information protection company shall:
(1) be organized or authorized to do business under the laws of this State;
(2) maintain a place of business in this State;
(3) appoint a registered agent to accept service of process and to otherwise act on its behalf in this State, provided that whenever the registered agent cannot with reasonable diligence be found at the Vermont registered office of the company, the Secretary of State shall be an agent of the company upon whom any process, notice, or demand may be served;
(4) annually hold at least one meeting of its governing body in this State, at which meeting one or more members of the body are physically present; and
(5) develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards sufficient to protect personal information, and which may include the use of blockchain technology, as defined in 12 V.S.A. § 1913, in some or all of its business activities. (Added 2017, No. 205 (Adj. Sess.), § 2.)