Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- Up to $150,000
None to minimal
Specific information must be provided to residents affected by a data breach.
Breach notification to the Attorney General must be completed when any residents of Virginia are affected.
For breaches involving notification of more than 1,000 persons at one time, reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis and additional information must be provided to the Attorney General.
The state Attorney General has enforcement and authority to bring an action to address violations and impose civil penalties. Individuals also have the right to recover direct economic damages due to violations.
For violations of the Personal Information Privacy Act, damages may be awarded in the amount of $100 per violation and may include an award of reasonable attorney’s fees and court costs.
Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Virginia passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2020, licensees must comply with the breach notification requirements; July 1, 2021 must comply with requirements for a written information security program; and July 1, 2022 must comply with the vendor management requirements.
Statutes and Laws
Va. Code § 18.2-186.6 Breach of personal information notification