Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach Notification Laws:
- Up to $150,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Specific information must be provided to residents affected by a data breach.
  • Breach notification to the Attorney General must be completed when any residents of Virginia are affected.
  • For breaches involving notification of more than 1,000 persons at one time, reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis and additional information must be provided to the Attorney General.
  • The state Attorney General has enforcement and authority to bring an action to address violations and impose civil penalties.  Individuals also have the right to recover direct economic damages due to violations.
  • For violations of the Personal Information Privacy Act, damages may be awarded in the amount of $100 per violation and may include an award of reasonable attorney’s fees and court costs.
  • Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Virginia passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2020, licensees must comply with the breach notification requirements; July 1, 2021 must comply with requirements for a written information security program; and July 1, 2022 must comply with the vendor management requirements.
Statutes and Laws
  • Va. Code § 18.2-186.6 Breach of personal information notification
  • Va. Code § 18.2-186.3  Identity theft; penalty; restitution; victim assistance
  • Va. Code §§ 59.1-442 – 59.1-444  Personal Information Privacy Act
  • Va. Code § 32.1-127.1:05  Breach of medical information notification
  • Va. Code § 38.2-623  Insurance Data Security Act
BAck to map