Virginia Breach of Personal Information Notification
VA Code § 18.2-186.6
SUMMARY:
EFFECTIVE. July 1, 2008
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Virginia and owns or licenses computerized data that includes Personal Information; and (2) any person or entity that maintains information on State residents that includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of and access to unencrypted or unredacted computerized data that compromises the security or confidentiality of Personal Information maintained by a person or business which causes or is reasonably likely to cause identity theft or other fraud of a Virginia resident. A good faith acquisition of Personal Information by an employee or agent of the person or business for internal purposes only is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with, and linked to, any one or more of the following data elements of a Virginia resident, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number, state identification card number, or military identification number.
-
Passport number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected and the Attorney General.
If more than 1,000 individuals are involved in a breach, the person or business shall also notify the Attorney General and all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to encrypted or redacted information.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Virginia residents are notified by the person or business in accordance with its policies.
-
An entity that is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq. and maintains procedures for notification of a breach according to the Act, is considered in compliance with this Section.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected Virginia residents individuals are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers or is notified of a security breach and believes the breach has caused or will cause identity theft or other fraud to a Virginia resident. The disclosure shall be made without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation or national security. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (to the last known address).
-
Telephonic.
-
Electronic.
-
Substitute notice as provided below.
The notice shall include the following:
-
General description of the incident.
-
Type of Personal Information that was accessed or acquired.
-
Steps taken to protect the Personal Information from further unauthorized access.
-
Telephone number to call for further information or assistance.
-
Advice to continue to monitor account statements and free credit reports.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $50,000, the affected class of Virginia residents to be notified exceeds 100,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains unencrypted data that includes Personal Information that such it does not own, then the person or business shall notify the owner or licensee of the breach upon discovery, without unreasonable delay. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General may bring an action to enforce violations of this Section, excluding those involving State financial institutions or insurance companies. The Attorney General may impose a civil penalty up to $150,000 per breach, or series of breaches similar in nature involving a single investigation.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None for businesses.
LEGISLATIVE UPDATES.
S.B. 307 – Signed into law on 3/17/2008, Effective 7/1/2008.
H.B. 2113 – signed into law 7/1/2017, Effective 7/1/2017.
H.B. 2396 – signed into law 3/18/2019, Effective 7/1/2019.
For more information, see here: https://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.