Home | Support | Contact Us | Site Map | Employment

Sklar Technologies

Resource Library Email Newsletter

Virginia Enacts Security Breach Law


Virginia recently became the 40th state to enact a security breach law, Va. Code Ann. § 18.2-186.6, which becomes effective on July 1, 2008. As with most of these laws, it applies to the improper acquisition of unencrypted computerized data. Virginia adopted the narrower definition of “personal information” since the law applies only to name, in combination with Social Security Number, driver's license number, state identification number, or a financial account number in combination with a security code or password, as opposed to other states that have included other forms of information in their security breach law.
Virginia adopted a standard that requires notice only if there is a reasonable belief that the breach will cause identity theft or other fraud. In a departure from the majority of states, Virginia permits notice of the breach to be given via telephone, e-mail, or in writing. Virginia also has mandated the form of notice, requiring that the notice:


-Describe the incident in general terms
-Disclose the timing of the incident
-Include telephone assistance numbers
-Describe the actions taken by the entity to ensure the information is protected from further improper acquisition
-Advise individuals whose information has been compromised to be “vigilant” and review account statements and free credit reports


The statute appears to require notice to the Office of the Attorney General even if the information of 1,000 or fewer residents has been breached, and certainly requires notice to the Virginia Attorney General and the consumer reporting agencies if more than 1,000 residents of Virginia are implicated in a breach.

Virginia also amended its Social Security Number and broadened its scope by including many public records within the existing law found at Va. Code Ann. § 59.1-443.2. This amendment also becomes effective on July 1, 2008.

 

Sklar Response:

It is in our opinion that this type of enforcement is a bit late as Va is the 40th state to get on board with this issue! If you have sensitive data like identities or credit card information it is in your best interest to have a relationship with a service provider that can provide security for this information.