Security Breach Law in Virginia, New Privacy Requirements

Va. Code § 18.2-186.6 § 32.1-127.1:05 is a data breach notification law that was initially passed in the U.S. state of Virginia in 2008 and has been amended several times since, most recently in 2019. As Virginia is only one of a handful of states within the U.S. that has passed a comprehensive data protection law in the form of the Virginia Consumer Data Protection Act or VCDPA, Va. Code § 18.2-186.6 § 32.1-127.1:05 represents a part of an already existing legal framework within the state geared towards protecting personal data and privacy. As such, Va. Code § 18.2-186.6 § 32.1-127.1:05 establishes the protocol that businesses within the state are responsible for following in the event that a data breach occurs, as well as the punishments that can be handed down for violating this protocol.

What is the scope and application of Va. Code § 18.2-186.6 § 32.1-127.1:05?

In terms of the scope and application of Va. Code § 18.2-186.6 § 32.1-127.1:05, the provisions set forth in the law are applicable to any “an individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality or any other legal entity, whether for profit or not for profit (collectively, Entity) that owns or licenses computerized data that includes PI.” Alternatively, the law also contains separate provisions for certain entities within Virginia, such as healthcare facilities and government agencies.

What are the data breach notification requirements under Va. Code § 18.2-186.6 § 32.1-127.1:05?

Much like other data breach notification laws around the U.S., Va. Code § 18.2-186.6 § 32.1-127.1:05 mandates that business entities provide notification to affected parties should a data breach occur. However, the law differs from many other data breach notification laws in that it also covers employee tax income data. With this being said, in addition to providing consumers with information such as the extent and scope of the breach, as well as the types of personal information that were disclosed during the breach, business entities within Virginia that “that own or license computerized data relating to state income tax withheld” must also provide notification to the Virginia attorney general should they experience a data breach.

Moreover, all data breach notifications that are provided to individuals and parties within the state of Virginia must contain the following information:

• A description of the events surrounding the data breach, in general terms.
• The types of personal or medical information that were disclosed as a result of the data breach.
• Any actions the affected entity undertook to protect personal information from further unauthorized disclosure.
• A telephone number that affected individuals may contact to receive further information and details concerning the breach, if such information is available.
• Any advice that affects individuals can take advantage of in order to mitigate the effects of the breach, such as remaining vigilant through the reviewing of financial account statements and free credit monitoring reports.

What types of personal information are covered under Va. Code § 18.2-186.6 § 32.1-127.1:05?

As Va. Code § 18.2-186.6 § 32.1-127.1:05 protects both personal and health information, there are two categories of data that are protected under the law. To this point, the following types of personal information are legally protected in the event that a data breach takes place, in combination with a Virginia resident’s first name or first initial and last name, permitting the following data elements have not been encrypted or redacted:

• Social security numbers.
• Driver’s license numbers and state identification cards that may be issued in lieu of a driver’s license.
• Financial account numbers and credit and debit card numbers, as well as any required passwords, security codes, or access codes that could be used to permit access to an individual’s financial account.
• Passport numbers.
• Military identification numbers.

Conversely, Va. Code § 18.2-186.6 § 32.1-127.1:05 also protects the following types of medical information:

• Information regarding an individual’s medical history, treatment or diagnosis, as well mental and physical conditions.
• An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

What are the penalties for Va. Code § 18.2-186.6 § 32.1-127.1:05?

The provisions that were laid out in Va. Code § 18.2-186.6 § 32.1-127.1:05 are enforceable by the Virginia attorney general. Subsequently, the Virginia attorney general has the authority to impose numerous sanctions and penalties against business entities and organizations within the state that are found to be in violation of the law. Most notably, business entities that fail to comply with the law are subject to a monetary penalty of up to $150,000 per breach. Additionally, data breaches that involve healthcare information are subject to a separate set of punishments, in accordance with federal legislation such as the Health Insurance Portability and Accountability Act or HIPAA.

The provisions of Va. Code § 18.2-186.6 § 32.1-127.1:05 in conjunction with the Virginia Consumer Data Protection Act represent the legal framework for protecting the personal data and privacy of citizens within the state of Virginia. Through the regulations set forth in such legislation, residents of Virginia have multiple avenues they can pursue in the event that their personal information is compromised for any reason. As such, Virginia residents are afforded a level of data protection that is not standard within most states around the country, as the U.S. has yet to pass a comprehensive data protection law at the federal level.