Virginia Data Breach Notification Requirements

Written By Sean Griffin

WHO DOES LAW COVER? An individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality or any other legal entity, whether for profit or not for profit. This includes out-of-state entities that maintain, own, or license any personal information of Virginia residents.

WHAT INFORMATION IS PROTECTED? “Personal information,” which means:

  • The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

    • Social security number

    • Driver's license number or state identification card number issued in lieu of a driver's license number

    • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts

    • Passport number; or

    • Military identification number

“Personal information” does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

WHAT IS A BREACH? The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any Virginia resident.

DOES NOT INCLUDE the good faith acquisition of personal information by an individual or entity’s employee or agent for the purposes of the individual or entity, provided that the personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.

NOTE: Encrypted or redacted data is excluded from statutory definition of breach.

"Encrypted" means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable.

"Redact" means alteration or truncation of data such that no more than the following are accessible as part of the personal information:

  • Five digits of a social security number; or

  • The last four digits of a driver's license number, state identification card number, or account number.

EXCEPTION: Notice of a breach is required if

  • Encrypted information is accessed and acquired in an unencrypted form, or

  • If the security breach involves a person with access to the encryption key and the breached individual or entity reasonably believes that the breach has caused or will cause identity theft or other fraud to any Virginia resident.

WHAT NOTICE DOES VIRGINIA LAW REQUIRE IN THE EVENT OF A BREACH? If data breach occurs and causes (ore reasonably may cause) identity theft or another fraud to any Virginia resident, the owner or licensor of any computerized personal information must disclose the breach to the Office of the Attorney General and any affected Virginia resident of the Commonwealth.

Notice may also be delayed if law enforcement advises that notice will impede an investigation.

WHAT MUST NOTICE INCLUDE?

  • The incident in general terms

  • The type of personal information that was subject to the unauthorized access and acquisition

  • The general acts of the individual or entity to protect the personal information from further unauthorized access;

  • A telephone number that the person may call for further information and assistance, if one exists

  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

WHEN IS NOTICE REQUIRED? An owner or licensor of computerized information that suffers a data breach must notify “without unreasonable delay.” An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license must notify the owner or licensee of the breach “without unreasonable delay.”

Notice only required for the unauthorized access of information that is unencrypted or unredacted, unless

  • The encrypted information is accessed and acquired in an unencrypted form, or

  • The encryption key is compromised and the breached individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.

Notice may be reasonably delayed to allow the breached individual or entity to determine the scope of the data breach and restore the reasonable integrity of the system.

HOW TO PROVIDE NOTICE:

  • Written notice to the last known postal address in the records of the individual or entity

  • Telephone notice

  • Electronic notice

  • Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000, or if the individual or the entity does not have sufficient contact information or consent to provide actual statutory notice

    • Substitute notice consists of all of the following:

      • E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents

      • Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; and'

      • Notice to major statewide media.

    • NOTE: Substitute notice also required if the affected class of Virginia residents to be notified exceeds 100,000 residents

If a breached individual or entity provides notice to more than 1,000 persons at one time, the individual or entity must, “without unreasonable delay,” notify the Virginia Attorney General and all consumer reporting agencies of the timing, distribution, and content of the notice. As part of the notification, the Virginia Attorney General’s Office requests the following information from the individual or entity making the notification:

  • A cover letter on official letterhead to the Virginia Attorney General’s Office as notification of the breach

  • The approximate date of the incident, including how the breach was discovered

  • The cause of the breach

  • The number of Virginia residents affected by the breach

  • The steps taken to remedy the breach

  • If an organization’s employees’ tax identification numbers and amount of tax withheld are breached, the Federal Employer Identification Number (FEIN) of the organization; and

  • A sample of the notification made to the affected parties, to include any possible offers of free credit monitoring.

INCOME TAX DATA OWNERS OR LICENSORS: Any employer or payroll service provider that owns or licenses computerized data relating to income tax must notify the OAG “without unreasonable delay” after a data breach containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and causes or may reasonably cause identity theft or other fraud. (This only applies to the employer’s employees, not to customers.)

EXEMPTION FOR COMPLIANCE WITH FEDERAL LAW: An entity subject to Title V of the Gramm-Leach-Bliley Act and maintains procedures for data breach notification accordingly satisfies Virginia data breach notification law. Also, an entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity's primary or functional state or federal regulator shall be in compliance with Virginia data breach notification law.

UPDATE: On April 14, 2022, Governor Youngkin approved three amendments to the VCDPA, which become effective January 1, 2023.

The first amendment allows a controller that has obtained personal data about a consumer from a source other than the consumer to comply with a consumer's request to delete such data by either

(i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records and not using such retained data for any other purpose pursuant to the provisions of this chapter or

(ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of the VCDPA.

The second amendment redefines the phrase “nonprofit organization” to include any political organization exempt from taxation under section 501(c)(3) of the Internal Revenue Code. Nonprofits will not have to comply with the VCDPA’s requirements.

The third amendment abolishes the previously established Consumer Privacy Fund.

Sean Griffin is an attorney and certified cybersecurity expert (CIPP-US) who advises clients on cybersecurity and litigates cybersecurity/privacy cases in Virginia, Maryland, and the District of Columbia. You can reach him via email at sgriffin@dykema.com or by phone at (202) 906-8703.

Sean Griffin
Previous

Second Circuit Lays Down Three Data Breach Standing Factors
Next

District of Columbia Data Breach Notification Requirements