If you are a Vermonter who wants to read the official notice of a data breach that exposed your own personal information, here is what you now have to do: send the Attorney General’s Office an email and wait.

Until this spring, you could simply open the document on the office’s website. As of Compass Vermont’s review on June 3, 2026, you cannot.

In mid-April, the Vermont Attorney General’s Office changed how the public reaches one of the state’s more useful consumer-protection records: the security-breach notices that companies are legally required to file whenever a data breach exposes Vermonters’ personal information. By the office’s own account, the page now “summarizes those reports beginning April 17, 2026.”

Previously, the office posted those notices — the actual documents, filed by the breached companies — where anyone could open them. As of Compass’s June 3 review, the page carried only a summary table; the underlying documents were no longer available to download. To see one, a Vermonter must email the office and ask for it.

The office gives a reason, sort of…

“To meet digital accessibility standards for government websites,” the page reads, “we are no longer able to post PDF files of security breach notices provided by third parties on this webpage.” It tells anyone who wants the details of a particular breach to request “a copy of the sample consumer notice” by emailing AGO.SecurityBreach@vermont.gov — language suggesting that what a requester receives may be the template notice a company sent to affected consumers, not necessarily the full report the company filed with the state. Under Vermont’s data-breach law, 9 V.S.A. § 2435, a breached business owes the Attorney General more than it owes consumers: a preliminary notice to the AG’s office within 14 business days of discovering a breach — including the date of the breach, the date of discovery, and a description of what happened — separate from, and earlier than, the consumer notice it must send to affected individuals. The consumer notice is the thinner, later document. If the email-request process yields only that, the public is being routed to the less informative of the two records.

The accessibility standard is real. Whether it required this is another question — and the rule the office is pointing to appears to say the opposite.

What the rule actually requires

The standard at issue is the U.S. Department of Justice’s 2024 rule under Title II of the Americans with Disabilities Act, which requires state and local governments to make their web content conform to a technical accessibility benchmark known as WCAG 2.1, Level AA. PDFs are squarely covered: the rule treats them as “conventional electronic documents” that must, as a general matter, meet the standard.

But the rule does not stop there, and the parts the office’s notice leaves out are the parts that matter.

First, the timing. The compliance deadline for large public entities like the State of Vermont was originally April 24, 2026. On April 20, 2026 — three days after the office’s own April 17 cutoff — DOJ published an interim final rule pushing that deadline back a full year, to April 26, 2027. If the original 2026 deadline was part of what drove the office’s timing, that deadline was no longer in force within days of the change.

Second, and more important, the rule contains explicit exceptions. Under 28 C.F.R. § 35.201(b), the requirement does not apply to “preexisting conventional electronic documents” — documents already posted before the entity’s compliance date — with one condition: the carve-out does not cover documents “currently used to apply for, gain access to, or participate in the public entity’s services, programs, or activities.” In Compass’s reading, a breach notice is a reference record — nobody uses one to apply for a benefit or access a service — and so the notices posted before the compliance date appear to fit the exception. With that deadline now extended to 2027, the set of documents that count as “preexisting” only grows. The office may read the exception differently; if so, it has not said how.

The rule provides a second path as well. Section 35.201(a) exempts “archived web content” — material kept for reference or recordkeeping — provided it sits in a clearly identified archive and is not altered after archiving. DOJ’s own guidance cautions that an entity cannot simply relabel active content as “archived” to escape the rule; the archive has to be real. But a properly maintained archive of past breach notices is exactly the sort of thing the exception contemplates.

And the rule never lists removal as a way to comply. Section 35.202 permits an entity to fall back on an “alternate version” of web content “only where it is not possible to make web content directly accessible due to technical or legal limitations.” DOJ’s own guidance lays out the tools an entity can use — the § 35.201 exceptions, the § 35.204 burden limits, and § 35.202 alternate versions. Taking documents down and directing the public to email for them is not among them. Removal is not a remedy the regulation describes. It is a choice.

Maine made a different choice

The clearest evidence that removal was not required sits one state over. As of Compass’s June 3 review, the Maine Attorney General’s Office maintained a public data-breach database, reaching back several years, with the underlying notices available to download directly, no email required. Maine is a state government subject to the same federal rule and the same deadline as Vermont.

Maine’s page also shows what accommodation under the rule can look like. Rather than stripping documents, it invites anyone who finds content inaccessible to request it in an accessible format, which the office will then provide. That is the kind of accommodation DOJ’s guidance contemplates — keep the records public, and supply an accessible version to anyone who needs one. Vermont inverted it — pull the records from everyone, and make everyone ask.

ANALYSIS: A change that costs the public and the office both

There is a defensible reason a government office might not want to remediate a large stockpile of third-party PDFs to a technical standard: doing so takes time and money, and the office did not create the documents or control their formatting. The rule itself recognizes this. Section 35.204 relieves an entity of steps that would impose “undue financial and administrative burdens” or fundamentally alter a service — one provision the office could point to. But that defense answers the cost of making documents accessible; it does not justify removing them. Leaving the existing files posted adds no new cost. Taking them down and routing the public to individual email requests does. The defense built for offices in exactly this position argues, on its own logic, for keeping the documents up — and the preexisting-document exception means the office would need neither to remediate them nor to remove them.

What the office did instead carries a cost on both ends. For the public, a record that was one click away is now gated behind an email and a wait. For Vermonters trying to understand a breach that exposed their own data — the recent Carnival Corporation breach affected 3,915 Vermont residents, according to the Attorney General’s own summary table reviewed by Compass on June 3 — the delay lands at exactly the moment speed matters most. And for the office itself, the change converts a static web page that served itself into a standing obligation: every request now requires a staff member to receive it, find the document, and send it, one at a time, indefinitely. The office appears to have taken on recurring staff work to make its own records harder to reach.

The accessibility rule explains why the office may have needed to review how breach notices appeared online. It does not, on its face, explain why the office chose an approach that reduces public access and adds to its own workload, when the rule it cited offered paths to do neither.

What Compass asked

Compass Vermont submitted written questions to the Attorney General’s Office on June 3, asking what prompted the decision, whether the office evaluated the rule’s exceptions for these records, whether it considered alternatives such as Maine’s accessible-on-request approach, whether the April 20 deadline extension factored in, and how many records are now available only by request. Compass asked for a response by close of business Thursday, June 4, 2026.

The office did not respond by that deadline. Compass also asked whether the office has a standing policy of not responding to its inquiries; it did not answer that question either. It is part of a pattern: the office has not responded to Compass inquiries in the recent past.

The silence is notable mainly because the office is not uniformly unresponsive. When Compass recently emailed the same address — the one the office now directs the public to use — to request a copy of a breach notice, it received the document within a day. A routine document request was answered promptly; the questions about why the office changed the process were not.

How to get a breach notice now

As of Compass’s June 3 review, Vermonters who want the details of a specific breach were directed to request what the office calls “the sample consumer notice” by emailing AGO.SecurityBreach@vermont.gov. The summary table of reports filed since April 17, 2026 remains viewable on the office’s Security Breach Notices page. Anyone who wants a durable copy of what the public page shows at a given moment can capture it themselves; web pages change, and this one already has.

How we reported this

This story relies on primary records: the Vermont Attorney General’s Security Breach Notices page and its posted explanation; the text of the federal rule at 28 C.F.R. §§ 35.200–35.202 and its definitions; the Department of Justice’s April 2024 final rule and its April 2026 interim final rule extending the compliance deadline; and the Maine Attorney General’s public data-breach database. Characterizations of what the rule permits reflect its plain text; Compass is not a law firm and does not offer a legal conclusion about whether the office’s specific documents would qualify under each exception — only that the exceptions exist and, on their face, appear to reach records of this kind.

One mission. Zero conflicts. All Vermont.