On March 17, 2008, the Commonwealth of Virginia joined 39 other states in enacting data breach notification laws, with Governor Tim Kaine's signature on the latest data breach notification legislation in the country.

Beginning on July 1, 2008, individuals or entities that own or license computerized data that includes personal information of Virginia residents will be required to notify consumers, the Attorney General of Virginia, and in certain situations consumer reporting agencies when unencrypted or unredacted personal information was or is accessed and acquired by an unauthorized person and causes, or it is reasonably believed that it has or will cause identity theft or another fraud to Virginia residents. There are two significant differences from other state data breach notification laws:

  1. Violations of the law are enforceable by the Attorney General which may impose civil penalties of up to $150,000.
  2. Virginia also has included a private right of action for aggrieved individuals.

Individuals or entities must notify affected Virginia residents and the Office of the Attorney General of the breach "without unreasonable delay." However, notice may be reasonably delayed to allow the individual or entity to determine the scope of the breach and to restore the reasonable integrity of the system, or if law enforcement determines that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. If notice must be provided to more than 1,000 persons at one time, the individual or entity is required to also notify "without unreasonable delay," all consumer reporting agencies of the timing, distribution, and content of the notice. Lastly, individuals and entities that only maintain, but do not own or license the compromised data, are required to notify the owner or licensee of such data of the breach.

Like most other states with data breach notification laws, personal information includes first name or initial and last name combined with one of the following: social security number, driver's license number, state identification card, or financial account information along with password or security code information. A breach is defined as an unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database or personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of Virginia. A breach also occurs when the security of encrypted data is compromised.

Individuals and entities that own or license the computerized data must provide notice to Virginia residents by written, telephonic, or electronic means. Substitute notice is permitted if the cost of providing notice exceeds $50,000, the number of affected residents exceeds 100,000, or the individual or entity lacks sufficient contact information or consent to provide notice. The notice must include:

  1. general information about the breach;
  2. the type of personal information that was subject to the unauthorized access and acquisition;
  3. the general measures taken by the individual or entity to protect the personal information from further unauthorized access;
  4. a telephone number that affected individuals may call for further information and assistance, if one exists; and
  5. advice about how affected individuals can be alert by reviewing account information and monitoring their credit reports.

Individuals and entities in compliance with federal laws covering protection and privacy of personal information are considered in compliance with the Virginia law as long as affected Virginia residents are notified in accordance with the federal law. Violations by state-chartered or licensed financial institutions are enforceable exclusively by the financial institution's primary state regulator, while violations by an individual or entity regulated by the State Corporation Commission's Bureau of Insurance are enforceable exclusively by the State Corporation Commission.

The full text of the Virginia law can be found on the Virginia state website. Clients should be aware of and become familiar with the provisions of this law in order to prepare for complying with its requirements before it goes into effect on July 1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.