To our clients and friends:
APRIL 10, 2008
One Financial Center
701 Pennsylvania Avenue, N.W.
666 Third Avenue
707 Summer Street
2029 Century Park East
1400 Page Mill Road
5355 Mira Sorrento Place
Virginia: The 40th State
On March 17, 2008, the Commonwealth of Virginia joined 39 other states in enacting data breach notification laws, with Governor Tim Kaine’s signature on the latest data breach notification legislation in the country.
Beginning on July 1, 2008, individuals or entities that own or license computerized data that includes personal information of Virginia residents will be required to notify consumers, the Attorney General of Virginia, and in certain situations consumer reporting agencies when unencrypted or unredacted personal information was or is accessed and acquired by an unauthorized person and causes, or it is reasonably believed that it has or will cause identity theft or another fraud to Virginia residents. There are two significant differences from other state data breach notification laws:
Individuals or entities must notify affected Virginia residents and the Office of the Attorney General of the breach “without unreasonable delay.” However, notice may be reasonably delayed to allow the individual or entity to determine the scope of the breach and to restore the reasonable integrity of the system, or if law enforcement determines that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. If notice must be provided to more than 1,000 persons at one time, the individual or entity is required to also notify “without unreasonable delay,” all consumer reporting agencies of the timing, distribution, and content of the notice. Lastly, individuals and entities that only maintain, but do not own or license the compromised data, are required to notify the owner or licensee of such data of the breach.
Like most other states with data breach notification laws, personal information includes first name or initial and last name combined with one of the following: social security number, driver’s license number, state identification card, or financial account information along with password or security code information. A breach is defined as an unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database or personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of Virginia. A breach also occurs when the security of encrypted data is compromised.
Individuals and entities that own or license the computerized data must provide notice to Virginia residents by written, telephonic, or electronic means. Substitute notice is permitted if the cost of providing notice exceeds $50,000, the number of affected residents exceeds 100,000, or the individual or entity lacks sufficient contact information or consent to provide notice. The notice must include:
Individuals and entities in compliance with federal laws covering protection and privacy of personal information are considered in compliance with the Virginia law as long as affected Virginia residents are notified in accordance with the federal law. Violations by state-chartered or licensed financial institutions are enforceable exclusively by the financial institution’s primary state regulator, while violations by an individual or entity regulated by the State Corporation Commission’s Bureau of Insurance are enforceable exclusively by the State Corporation Commission.
The full text of the Virginia law can be found on the Virginia state website (click here). Clients should be aware of and become familiar with the provisions of this law in order to prepare for complying with its requirements before it goes into effect on July 1.
* * * * *
If you have questions regarding compliance with this, or any other state data breach notification law, or would like assistance with development of an incident response plan, please contact
or any member of your Mintz Levin client service team..
Copyright © 2008 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The above has been sent as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. and may be considered an advertisement or solicitation. The content enclosed is not intended to provide legal advice or to create an attorney-client relationship. The distribution list is maintained at Mintz Levin’s main office, located at One Financial Center, Boston, Massachusetts 02111. If you no longer wish to receive electronic mailings from the firm, please notify our marketing department by going to www.mintz.com/unsubscribe.cfm.