Virginia Data Breach Notification Law

Notification deadline: Without unreasonable delay

Enforcement: Virginia Attorney General

Overview

Virginia requires breach notification "without unreasonable delay" and became the second state (after California) to pass a comprehensive privacy law - the Virginia Consumer Data Protection Act (VCDPA) - which adds significant data protection requirements.

Who Must Be Notified

• • Affected Virginia residents
• • Virginia Attorney General (if 1,000+ residents affected)
• • Consumer reporting agencies (if 1,000+ residents affected)

Covered Data Types

Social Security number, Driver's license number, Financial account number with access code, Credit/debit card number, Passport number, Military ID number, Biometric data, Medical information, Health insurance information, Username with password

Notification Requirements

• • Written, telephonic, or electronic notice without unreasonable delay
• • Description of incident and types of information involved
• • Contact information for business
• • Contact information for FTC and credit bureaus
• • Notify AG if 1,000+ residents affected
• • Notify consumer reporting agencies if 1,000+ residents affected

Exemptions

• • Encrypted data (if key not compromised)
• • Good faith acquisition by employee
• • Entities in compliance with GLBA, HIPAA
• • Publicly available information

Penalties

Up to $7,500 per violation under VCDPA. AG can seek injunctions and civil penalties. No private right of action under VCDPA.