Consumer records containing personal information were increasingly exposed by data breaches in 2018.[1] In seeking to manage cybersecurity-related risk, Virginia, like every other state in the U.S., District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, has enacted data breach notification laws.[2] Whether based in Virginia or beyond its borders, companies that own, license, or maintain computerized data containing Virginia residents’ personal or medical information are typically subject to regulation by the Commonwealth under its data breach statute and medical information law.[3] Virginia also has specific data breach notification requirements that apply to income tax preparers, employers, and payroll service providers that own or license computerized data related to wage withholdings.[4] For that reason, before a company can give legally sufficient notice to regulators and affected Virginia residents after discovering a data breach, it must first understand what qualifies as a reportable cybersecurity incident. This primer addresses the notification framework of Virginia’s data breach statute.
Who is typically subject to Virginia’s data breach statute?
Virginia’s data breach statute regulates both individuals and businesses, whether for profit or not for profit.[5] Moreover, out-of-state entities are subject to the statute so long as they maintain, own, or license any personal information of Virginia residents.[6] Exclusions from the statute can apply based upon an entity’s internal procedures for notification when consistent with the timing requirements of the statute, under the Gramm-Leach-Bliley Act governing financial institutions, and if an entity complies with the notification requirements established by its primary state or federal regulator.[7]
What qualifies as “personal information” under Virginia’s data breach statute?
As amended in 2019, “personal information” under Virginia’s data breach statute means a Virginia resident’s unencrypted, unredacted first initial or first name and last name combined with or linked to any of the following data elements:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts;
- Passport number [amendment effective July 1, 2019]; or
- Military identification number [amendment effective July 1, 2019].[8]
When is notice of a cybersecurity incident typically required under Virginia’s data breach statute?
The notice requirements of Virginia’s data breach statute are triggered when unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or there is a reasonable belief that the breach caused or will cause, identity theft or another fraud on a Virginia resident.[9]
Who typically must be notified under Virginia’s data breach statute and when?
If the notice requirements of Virginia’s data breach statute are triggered, the affected Virginia resident and the Virginia Office of the Attorney General (OAG) must receive notification of the cybersecurity incident without unreasonable delay.[10] Data breaches involving more than 1,000 persons at one time also require disclosure of the timing, distribution, and content of the notification to the OAG and all nationwide consumer reporting agencies.[11]
However, notice of a reportable cybersecurity incident under Virginia’s data breach statute may be reasonably delayed 1) to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system, and 2) if, after the individual or entity notifies a law-enforcement agency, the law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security.
In addition to identifying the steps taken to protect personal information from further unauthorized access, the data breach notice must also describe:
- the incident in general terms;
- the type of personal information that was subject to the unauthorized access and acquisition;
- a telephone number that the person may call for further information and assistance, if one exists; and
- advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
What kind of liability might a business be subject to under Virginia’s data breach statute?
The OAG may bring enforcement actions under Virginia’s data breach statute and impose civil penalties of up to $150,000 per breach for statutory violations.[12]
Moreover, Virginia’s data breach statute does not limit an individual from recovering direct economic damages for a violation, which courts have interpreted to imply a private right of action for monetary relief.[13] For example, since 2011, individual and class action plaintiffs have sought relief under Virginia’s data breach statute in at least 21 state and federal court proceedings against companies from an array of industries.[14] In contrast to lawsuits filed under Virginia’s data breach statute, at least one federal court applying Virginia law has determined that no common law duty to safeguard private information exists independently from the statute.[15]
While it is impossible to eliminate all cybersecurity-related risk, a company responding to a data breach can potentially mitigate its litigation exposure by complying with applicable notice requirements to regulators and affected individuals, including those arising under Virginia’s data breach statute.
For assistance with this and similar matters, contact OFP Attorney James Miller,
or the professional who typically handles your matters at 703-218-2100.
[1] Identity Theft Resource Center (ITRC), 2018 End-of-Year Data Breach Report (2019), https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf (Key Finding #1).
[2] See, e.g., Va. Code § 18.2-186.6; Va. Code § 32.1-127.1:05; see also, e.g., D.C. Code § 28-3852;
Md. Code Ann., Com. Law § 14-3504. Although beyond the scope of this primer, depending on the entity and the nature of the information it owns, licenses, or maintains, federal and international laws and regulations may also apply. See 15 U.S.C. § 6801, et seq. (Gramm-Leach-Bliley Act); 16 C.F.R. § 318.1, et seq. (Federal Trade Commission regulations); 45 C.F.R. § 164.408 (Health Insurance Portability and Accountability Act regulations); Art. 33 GDPR (EU General Data Protection Regulation).
[3] Va. Code § 18.2-186.6; Va. Code § 32.1-127.1:05. As the applicability of Virginia’s medical information law is dependent, in part, upon an analysis of the Health Insurance Portability and Accountability Act and related Federal Trade Commission regulations, it is beyond the scope of this primer on Virginia’s data breach statute. See Va. Code § 32.1-127.1:05(F).
[4] Va. Code § 18.2-186.6(M); Va. Code § 58.1-341.2.
[5] Va. Code § 18.2-186.6(A)-(B).
[6] See id. at § 18.2-186.6(B).
[7] See id. at § 18.2-186.6(F)-(H).
[8] Id. at § 18.2-186.6(A); see also H.B. No. 2396 (enacted by the Virginia General Assembly on March 18, 2019).
[9] Va. Code § 18.2-186.6(B).
[10] Id.
[11] Id. at § 18.2-186.6(E).
[12] Id. at § 18.2-186.6(I). Under some circumstances, other Virginia agencies are responsible for enforcing the statute. See id. at § 18.2-186.6(J)-(K).
[13] See Patton v. Experian Data Corp., No. SACV1701559JVSDFMX, 2018 WL 6190349 (C.D. Cal. Jan. 23, 2018); Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015).
[14] See Prioleau v. Ascension Data & Analytics, LLC, No. 2:19-cv-1116-RMG (D.S.C. Apr. 16, 2019); Deutsche Bank Nat’l Tr. Co. v. Buck, No. 3:17CV833, 2019 WL 1440280 (E.D. Va. Mar. 29, 2019); Tilleman v. LeafFilter LLC, No. 5:18-cv-1152 (W.D. Tex. Nov. 2, 2018); McGarry v. Delta Air Lines, Inc., No. 1:18-cv-02794-CAP (N.D. Ga. Jun. 7, 2018); Green-Cooper v. Brinker International, Inc., No. 3:18-CV-686-J-32MCR (M.D. Fla. May 24, 2018); Naini v. Delta Air Lines, Inc., No. 2:18-cv-02876 (C.D. Cal. Apr. 6, 2018); Mekerdijian v. Saks Fifth Avenue LLC, No. 2:18-cv-02649 (C.D. Cal. Apr. 2, 2018); Patton v. Experian Data Corp., No. SACV1701559JVSDFMX, 2018 WL 6190349 (C.D. Cal. Jan. 23, 2018); Thomson v. Marriott International, Inc., No. 460009 (Md. Cir. Ct. Dec. 12, 2018); Gastineau v. Equifax, Inc., No. 1:17-cv-03769-CAP (N.D. Ga. Sept. 27, 2017); Murphy v. Equifax, Inc., No. 1:17-cv-03613-ELR (N.D. Ga. Sept. 18, 2017); In re Premera Blue Cross Customer Data Security Breach Litigation, No. 3:15CV00516 (D. Or. Sept. 30, 2016); In re Cmty. Health Sys., Inc., No. 15-CV-222-KOB, 2016 WL 4732630 (N.D. Ala. Sept. 12, 2016); In re Ashley Madison Customer Data Security Breach Litigation, No. 4:15MD2669 JAR (E.D. Mo. June 24, 2016); In Re Anthem, Inc. Customer Data Security Breach Litigation, No. 5:15MD02617 (N.D. Cal. Oct. 30, 2015); Doe v. Avid Life Media, Inc., No. 1:15-cv-07017 (S.D.N.Y Sept. 4, 2015); Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015); In re The Home Depot, Inc., Customer Data Security Breach Litigation, No. 1:14-md-02583-TWT (N.D. Ga. May 1, 2015); In re Target Corporation Customer Data Security Breach Litigation, No. 14MD02522 (D. Minn. Dec. 1, 2014); Irwin v. Jimmy John’s Franchise, LLC, No. 2:14-cv-02275-HAB-DGB (C.D. Ill. Nov. 6, 2014); Orman v. Citigroup, Inc., No. 11 CIV 7086 (S.D.N.Y. Oct. 7, 2011).
[15] Deutsche Bank Nat’l Tr. Co. as Tr. for Home Equity Mortg. Loan Asset-Backed Tr. Series Inabs 2006-A v. Buck, No. 3:17CV833, 2019 WL 1440280, at *6 (E.D. Va. Mar. 29, 2019).