VA Code § 18.2-186.6: Virginia’s Data Breach Notification Requirements

Home » Insights » VA Code § 18.2-186.6: Virginia’s Data Breach Notification Requirements

by | February 18, 2020

While the California Consumer Privacy Act (CCPA) is garnering national attention and pushing the conversation for a national privacy framework, Virginia has its own Data Protection and Privacy rules in VA Code § 18.2-186.6, as amended. The statute requires an individual or entity that owns, maintains, or possesses personal identifying information of Virginia residents, who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the unauthorized breach to the Office of the Virginia Attorney General (OAG) and to provide notification to each affected Virginia resident.

In short, if your Virginia business possesses “personal identifying information”–such as social security numbers, credit card numbers, passport numbers, dates of birth, etc.–and you believe that a third party has accessed or taken this information without permission, then you have a data breach. Once you suspect a data breach, then there are numerous steps that you must take to comply with the statute.

The statute prescribes specific requirements for the notification to the OAG and to the individuals effected. In addition to any civil action for actual damages and other regulatory sanctions, the OAG may bring a civil action that carries a fine of up to $150,000 per breach.

The nuance of covered entities, covered data, and the notification requirements can be complex. Preventative maintenance and a thoughtful approach to your entity’s handling of privacy data is essential to any Virginia business. Read more here about a thoughtful and preventative approach to handling data and your business’s IT risks.

If your Virginia entity believes that a data breach has occurred, your entity should immediately consult with experienced IT professionals and with our office to discuss the applicable requirements to act immediately.

There are separate statutes applicable to the disclosure of private health information by state and local entities. Likewise, HIPPA and other federal prescriptions apply to covered health information.

Following the enactment of CCPA and increased attention to data security and consumer privacy, Virginia recently introduced legislation that imposes a “duty of care” related to privacy information held by covered entities. While the bill did not pass, the trend is clearly in favor of heightened data privacy requirements on Virginia businesses.