Five Questions Answered about Virginia’s Data Breach Law
In past blogs we’ve discussed the threat of cybercrime and steps to protect systems, but what if a breach does occur and personal information is put at risk? Most states have data breach statutes that dictate how companies are required to respond. Virginia is no exception. Here are the highlights of Virginia’s data breach statute.
1. What is a Breach? In Virginia, it’s generally defined as unauthorized access and acquisition of computerized data that compromises the security or confidentiality of personal information and that has or may cause identity theft or other fraud to any Virginia resident.
2. What is Personal Information? Personal information is a name in combination with a Social Security number; a driver’s license number or state identification card number; or a financial account number with any required security/access code. Safe harbors exist for encrypted data and redacted data (e.g., truncated information such as less than 6 digits of a Social Security number).
3. Who is Notified and When? When a breach is discovered or revealed to whoever owns or licenses the data, the Office of the Attorney General and any affected Virginian must be notified without unreasonable delay. That’s obviously important. A reasonable delay could be a company’s attempt to understand the scope of the breach and restore their system’s integrity. A delay may also be required if law enforcement determines that notification would pose a threat to a criminal investigation or national security (it’s probably best not to tip off the cyber-criminal).
4. What Constitutes a Notice? Notice may be provided in writing, by phone, or electronically. In cases of large breaches, when the cost of providing notice will exceed $50,000, the number of Virginia residents to be notified exceeds 100,000, or there is not sufficient contact information or consent to provide notice; notification may be provided via email, conspicuous posting of the notice on the website, and notice to major statewide media. Information provided in the notice must include a description of the incident in general terms; the type of personal information that was accessed and acquired; actions taken to protect the personal information from further unauthorized access; a telephone number that the person may call for further information and assistance, if one exists; and advice that directs the person to monitor their accounts and credit.
5. What is the Penalty for Non-Compliance? The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. An individual may also try to recover direct economic damages.
Remember: this is a summary, not a description of all aspects of the statute. For the complete statute, see Virginia Code § 18.2-186.6. Note that there is a separate Virginia law for medical information breaches.