Click here to review text of state statute
[For specific rules applicable to income tax return preparers – click here.]
Information Covered / Important Definitions
Personal information of Virginia residents.
“Security Breach” means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to a Virginia resident.
"Encrypted": Means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable.
"Redact" means alteration or truncation of data such that no more than five digits of a social security number or the last four digits of a driver’s license number, state identification card number, or account number, are accessible as part of the personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
Any individual, legal or commercial entity that owns or licenses computerized data that includes personal information.
Third party recipients:
Any covered entity that maintains computerized data that includes personal information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach without unreasonable delay following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or electronic notice must be provided to victims of a security breach without unreasonable delay, unless disclosure impedes law enforcement investigation (in which case notification is delayed until authorized by the law enforcement agency).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information or does not have consent to provide notice by primary means.
- Notice only required if the security breach causes, or the covered entity reasonably believes has caused, or will cause, identity theft or other fraud to a Virginia resident.
Any person that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies and the attorney general.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Safe harbor not available if personal information is encrypted but the encryption key is compromised.
A covered entity is deemed in compliance with the Virginia statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Virginia statute.
A covered entity is deemed in compliance with the Virginia statute if it complies with notification requirements or procedures imposed by its primary or functional state or federal regulator.
A covered entity subject to GLBA is deemed in compliance.
Notification to Regulator / Waiver
Attorney general must be notified of a security breach.
A determination of no likelihood of harm: Does not require notification to attorney general.
Employers or payroll service providers who experience a security breach containing a taxpayer identification number in combination with the income tax withheld must notify the Department of Taxation if breach involves payroll information.
Notice must include the employer’s name and federal employer identification number.
Attorney general may bring an action and may impose a civil penalty not to exceed $150,000 per security breach or a series of breaches of a similar nature that are discovered in a single investigation.
Individuals may bring an action to recover direct economic damages resulting from a violation of the Virginia statute.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
Enforcement by attorney general and individuals.
Violations by state-charted or licensed financial institutions are redressed by its primary state regulator.
Violations by insurance companies are redressed by the State Corporation commission.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute