By Tricia Dunlap (Esq. & CIPP/US)
Compared to other states, Virginia’s data privacy and security law narrowly defines what constitutes a data breach and personal information. However, it’s still imperative that business leaders understand the nuances of Virginia’s Law to protect their companies from legal risk.
For Virginia businesses, Virginia’s data privacy and security protection resides in title 18, among its criminal codes. In Virginia, a breach of personal information is a form of criminal fraud which might explain why the threshold for a “breach” is so high and the definition of personal information (PI) quite narrow. Virginia Code section 18.2-186.6 applies to individuals, governments, and all businesses – including for-profit and non-profit businesses, estates, trusts, and associations (more on government’s data privacy and security duties here). For an overview of “personal information” and “breach,” read on or click here for a video overview.
A “Breach” Defined Under Virginia Law
In Virginia, a cybersecurity incident is not a “breach” unless it meets all of these criteria:
- Unauthorized access to and acquisition of unencrypted or unredacted computerized data;
- The security or confidentiality of PI maintained as part of a database of multiple individuals is compromised; and
- The individual or entity that had custody of the database reasonably believes the unauthorized access and acquisition has caused or will cause the Virginia resident whose PI was compromised to suffer identity theft.
If your business encrypts or redacts PI, then even if an incident results in unauthorized access, it will not be a breach under Virginia law. If an individual’s PI is stored separate and apart from a database containing PI from multiple individuals, then arguably, unauthorized access to that PI is not a breach under the law.
Finally, an individual or business that suffered a cyber incident must also “reasonably believe” that the Virginia resident whose PI was compromised is or would be a victim of identity theft or it wasn’t a breach. Given the high threshold established by Virginia law, it is a wonder that a breach ever occurs in Virginia. As misuse of PI by both business and government proliferates and laws such as the California Consumer Privacy Act (more on that here and here), Nevada’s new internet privacy law, and the Massachusetts Data Protection Act provide much greater protection for residents of those states, it may not be long before Virginians grow dissatisfied with the status quo.
Personal Information Defined Under Virginia Law
Virginia’s definition of PI includes your unredacted or unencrypted first and last name or first initial and last name plus any one of the following:
- Social security number
- Driver’s license number
- Financial account number plus the security code necessary to access it
- Passport ID number
- Military ID number
So, for example, if a cybercriminal accesses an individual’s unredacted and unencrypted last name, full social security number, and address it would not be a breach under the law because Virginia’s definition of breach and PI requires the criminal to get both your first and last name plus your social security number (getting your address is a bonus). That may be cold comfort for most Virginians who recognize that criminals can do plenty of damage with their last name, address, and social security number.
What Businesses Are Required to Do in the Event of a Data Breach
If an incident results in a breach, under Virginia law, then the business must inform Virginia’s Attorney General and any affected Virginian “without unreasonable delay.” However, it’s okay to delay notice in order to assess the scope of the breach and restore system integrity or on the advice of law enforcement. Notice includes any of the following: (i) a writing mailed to the last address (ii) a telephone call, or (iii) “electronic notice” (which the General Assembly neglected to define). For a large breach (more than 100,000 Virginians or at a cost over $50,000), businesses can give “substitute notice” by sending an email, placing a conspicuous post on the business’ website, and notifying major statewide media.
While Virginia’s business-friendly code may be a source of comfort to business leaders, they should recognize that consumer expectations exceed the care required by black-letter law and reputational damage can also be costly. Further, as in Pennsylvania, a common-law negligence claim could successfully argue that a business which failed to use reasonable methods to safeguard PI therefore failed to fulfill its duty of reasonable care to its employees.
Evolving to Meet the Challenge: Watch for Changes in Virginia’s Data Privacy and Security Law
In Virginia’s 2019 General Assembly session, Delegate Hala Ayala introduced HB 2793 which proposed requiring businesses that own or license PI to “implement and maintain reasonable security procedures and practices . . . to protect [PI] from unauthorized access, destruction, use, modification, or disclosure” and, when the PI is no longer needed by the business to take reasonable steps to destroy the data. The Commerce & Labor Committee voted down Ayala’s bill but she introduced a revised version of it the 2020 session (more on that here). Virginia businesses should evolve to meet the inevitable challenge.
Find Out How Data Privacy Law Applies to Your Business
Dunlap Law can help you understand and adapt to the CCPA, Virginia data privacy and security law, and other data privacy laws nationwide. We closely track data privacy legal developments so you don’t have to. Call for a consultation today or ask Tricia Dunlap to speak to your group.
Dunlap Law is a SWaM-certified law firm in Richmond, Virginia and the only B Corp certified law firm in Virginia or DC. Tricia Dunlap holds the Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals. She is also 2020-2021 co-chair of the IAPP’s KnowledgeNet, Richmond Chapter.
But the agency is also limited in what it can do, and while it has asked for its powers to be expanded, that’s yet to happen. Meanwhile, Joseph J. Simons, who leads the commission, has said that a lack of consumer privacy law makes it hard to prove to a court that someone has been harmed by misuses or loss of their data, and that the passing of one would provide incentive to companies to behave better in the first place.