Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

VIRGINIA DATA PRIVACY REGULATIONS

Did You Know?

 

It's statutes may include:

  • Specific methods of notification delivery;
  • Data owners are responsible for the reporting and notifications;
  • Notification may be required to the state attorney general, the consumer reporting agencies, or the Commissioner of Health;
  • Laws also cover data protection and record retention;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

Who Me?

 

Virginia breach and notification laws may apply if you are an individual or entity that:

  • Owns or licenses computerized data that includes PII (data owner);
  • Maintains computerized data that includes PII which the individual or entity does not own or license (vendor);
  • There are exceptions for entities under federal regulations, but minimum standards must be met.

See statute for detailed definition of “entity” as it relates to the PII and PHI of the Virginia statutes.

What is PII?

 

PII relevant to a breach in Virginia includes an individual’s name with one or more of the following:

  • Social security, driver’s license or state identification card number;
  • Financial account or credit/debit card numbers, with security or access codes, passwords, etc.;
  • Medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or

Health ins. policy or subscriber ID number, any unique ID used by a health insurer, or application or claims history, including any appeals records.

LAWS

APPLICABLE LAW

A few relevant statutes from the Code Virginia include, but are not limited to:

Title 18.2 / Chapter 6 / § 18.2-186.6. Breach of personal information notification;

Title 32.1. Health / Chapter 5 / § 32.1-127.1:05. Breach of medical information notification.

RELATED LAWS

A few related statutes include, but are not limited to:

  • 32.1-127.1:01. Record storage;
  • 32.1-127.1:03. Health records privacy;
  • 2.2-3808. Collection, disclosure, or display of social security number;
  • 59.1-443.2. Restricted use of social security numbers;
  • 59.1-443.3. Scanning information from driver's license or identification card; retention, sale, or dissemination of information;
  • § 18.2-194. Unauthorized possession of two or more signed credit cards or credit card numbers.

PENALTIES

COMPLIANCE PENALTIES

The state attorney general has enforcement and may impose a civil penalty not to exceed $150,000 per breach of the security of the system.  Individuals also have the right to recover direct economic damages due to a violation.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted, redacted, or otherwise altered;
  • If the data included any kind of key, access code or cipher;
  • If encrypted information was accessed and acquired in an unencrypted form;
  • If it was acquired by an unauthorized person; or
  • If it may be used for identity theft or other fraud

TIME LIMITS

In Virginia, the notifications must be made following discovery and without unreasonable delay, unless law enforcement advises the person it will impede an investigation.  The state attorney general, Commissioner of Health, and/or consumer reporting agencies must also be notified thusly.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Notification may be required to the state attorney general, Commissioner of Health, and/or consumer reporting agencies.

Disclosure may be made by written notice, electronically, or via telephone with stipulations.  A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $50,000 or the persons to be notified exceeds 100,000, they do not have sufficient contact information, or consent. 

Contact the Privacy Experts at CSR