Scope of this Summary:
Notification requirements applicable to individuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements. Incidents involving medical information may be subject to different requirements (Va. Code Ann. § 32.1-127.1:05).
Risk of Harm Threshold
Notification not required if covered entity reasonably believes that breach has not and will not cause identity theft or other fraud to any Virginia resident.
Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted, so long as encryption key was not accessed or acquired.
Form of Covered Information
The first name or first initial and last name in combination with and linked to any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number issued in lieu of a driver's license number.
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.
- Passport number.
- Military identification number.
Consumer Notice Timing
Must be made without unreasonable delay following discovery or notification of the breach, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.
Consumer Notice Method
By written notice to last known postal address, telephonically, or electronic notice. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Notice shall include a description of the following:
- The incident in general terms.
- The type of personal information or medical information that was subject to the unauthorized access and acquisition.
- The general acts of the individual or entity to protect the personal information or medical information from further unauthorized access.
- A telephone number that the person may call for further information and assistance, if one exists.
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
Notification may be delayed if law enforcement determines and advises that notice will impede a criminal or civil investigation or national or homeland security.
If more than 1,000 residents are notified, must notify Attorney General without unreasonable delay following discovery or notification of the breach.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify all nationwide Consumer Reporting Agencies without unreasonable delay of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
An entity that is subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) (GLBA) and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that Act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this section.
If you maintain covered info on behalf of another entity, you must notify it without unreasonable delay following discovery of the breach.
Private Right of Action
The Virginia general breach notification statute allows an injured person to recover economic damages.
Violations may result in civil penalties.