Five Questions Answered about Virginia's Data Breach Law

Posted by Lori Salley Ring

Jul 28, 2015 8:30:00 AM

databreachIn past blogs we’ve discussed the threat of cybercrime and steps to protect systems, but what if a breach does occur and personal information is put at risk?  Most states have data breach statutes that dictate how companies are required to respond.  Virginia is no exception.  Here are the highlights of Virginia’s data breach statute.

1.   What is a Breach?   In Virginia, it’s generally defined as unauthorized access and acquisition of computerized data that compromises the security or confidentiality of personal information and that has or may cause identity theft or other fraud to any Virginia resident. 

2.   What is Personal Information?  Personal information is a name in combination with a Social Security number; a driver's license number or state identification card number; or a financial account number with any required security/access code.  Safe harbors exist for encrypted data and redacted data (e.g., truncated information such as less than 6 digits of a Social Security number). ss_card_identity_theft

3.   Who is Notified and When?  When a breach is discovered or revealed to whoever owns or licenses the data, the Office of the Attorney General and any affected Virginian must be notified without unreasonable delay.  That's obviously important.  A reasonable delay could be a company’s attempt to understand the scope of the breach and restore their system’s integrity.  A delay may also be required if law enforcement determines that notification would pose a threat to a criminal investigation or national security (it's probably best not to tip off the cyber-criminal).  

4.   What Constitutes a Notice?  Notice may be provided in writing, by phone, or electronically.  In cases of large breaches, when the cost of providing notice will exceed $50,000, the number of Virginia residents to be notified exceeds 100,000, or there is not sufficient contact information or consent to provide notice; notification may be provided via email, conspicuous posting of the notice on the website, and notice to major statewide media.  Information provided in the notice must include a description of the incident in general terms; the type of personal information that was accessed and acquired; actions taken to protect the personal information from further unauthorized access; a telephone number that the person may call for further information and assistance, if one exists; and advice that directs the person to monitor their accounts and credit.credit_cards_2

5.   What is the Penalty for Non-Compliance?  The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. An individual may also try to recover direct economic damages.

Remember:  this is a summary, not a description of all aspects of the statute.  For the complete statute, see Virginia Code § 18.2-186.6.  Note that there is a separate Virginia law for medical information breaches.


 Technology Policy Small Business

Topics: Security Information

Leave A Comment

FocusData: TECHPol is a blog on technology and business policy issues affecting small and mid-sized companies.  TECHPol’s primary author, Lori Salley Ring, spent 20-plus years working on Capitol Hill, including as the top staffer on the House Committee on Small Business.  FDS is an IT consulting firm providing managed services, office tech relocation, network security, and IT support for businesses in the Washington, DC and Northern Virginia area.

Technology Policy Small Business

About the Author

Lori Salley Ring

Lori Salley Ring

Lori serves as Policy Advisor and Communications Specialist for Focus Data Solutions.  Lori spent more than 20 years working for the U.S. Congress, including as Chief of Staff to a member of the House leadership and as the Staff Director for the Committee on Small Business.  Lori also ran a Washington-based non-profit organization between stints working for the Federal government. 

Follow Me

Focus Data Solutions

1020 N. Fairfax St., Suite 400
Alexandria, VA 22314
(703) 836-0080

We are your partner for IT outsourcing, cloud services, managed services, office relocation, backup solutions and network security.

Work with Focus Data Solutions