Virginia
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay
FINES & PENALTIES – Violations
Up to $150,000
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Not Required
QUICK FACTS
Virginia Privacy Law Information
For breaches involving notification of more than 1,000 persons at one time, breach reporting is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, and additional information must be provided to the Attorney General. If any state residents are affected by a breach of security, the breached Organization must give notice without delay to the affected individuals and the Attorney General. Regulatory reporting and consumer notifications must include specific information regarding a breach incident.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors must report to the Organization without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
Virginia passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
The state Attorney General has the enforcement and authority to bring an action to address violations and impose civil penalties up to $150,000 per breach or series of breaches. Individuals also have the right to recover direct economic damages due to violations.
Virginia Statutes and Laws
Breach of personal information notification
Breach of medical information notification
Insurance data security act
Personal Information Privacy Act
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.