The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
State Data Breach Notification Statute
Covered Entities: An individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality or any other legal entity, whether for profit or not for profit that owns or licenses computerized data that includes personal information.
Consumer Notification: Notification must be provided to any Commonwealth resident whose “unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth.
Regulatory Notification: Notification must be provided to the Office of the Attorney General when a resident of the Commonwealth is notified of a breach.
Notification Timeline: Notification must be provided “without unreasonable delay.”
Data Format: Electronic.
Citations: Va. Code. Ann. § 18.2-186.6.
- Breach: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.
- Personal Information (PI): An individual’s first name or first initial and last name in combination with and linked to any one or more of the following unencrypted or unredacted data elements:
- Social Security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts;
- Passport number; or
- Military identification number.
- Medical Information: Any information regarding an individual’s medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- Health Insurance Information: An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identity the individual, or any information in an individual’s application and claims history, including any appeals records.
- Encryption: Notification is not required where the potentially impacted PI was encrypted or redacted, so long as the encryption key was not also acquired thereby rendering the PI readable / usable.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent of an individual or entity for the lawful purposes of the individual or entity.
- Risk of Harm: Notification is not required if the entity reasonably believes that the breach has not cause and will not cause identity theft or other fraud to any resident of the Commonwealth.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or will impact homeland or nation security.
- Timing: Notification must be provided without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore integrity of the system.
- Format: N/A
- Content: Notification letters must include the following:
- The incident in general terms;
- The type of personal information that was subject to the unauthorized access and acquisition;
- The general acts of the individual or entity to protect the personal information from further unauthorized access;
- A telephone number that the person may call for further information and assistance, if one exists; and
- Advise that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
- Method: Notification may be provided (1) in written notice to the last known postal address in the records of the individual or entity; (2) telephone notice; or (3) electronic notice.
An individual or entity may provide substitute notice if (1) the cost of providing notice will exceed $50,000, (2) the notification population exceeds 100,000 residents, or (3) the individual or entity does not have sufficient contact information or consent to provide notice. Substitute notice must include: (1) Email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage; and (3) notice to statewide media.
Notification must be provided to the Office of the Attorney General where a Commonwealth resident requires notification.
Any employer or payroll service providers that owns or licenses computerized data relating to income tax must notify the Office of the Attorney General without unreasonable delay after discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. For employers, the notification obligations only applies to information relating to its employees.
Credit Reporting Agencies Notice:
If an individual or entity provides notice to more than 1,000 persons, the individual or entity must notify, without unreasonably delay, all consumer reporting agencies of the timing, distribution, and content of the notice.
An individual of entity that maintains computerized data including PI that the individual or entity does not own or license must notify the owner or licensee of the PI of the “breach” without unreasonable delay following discovery.
The notification requirements for incidents involving medical information do not apply to (1) a person or entity who is a “covered entity” or “business associate” for purposes of the Health Insurance Portability and Accountability Act will be deemed to have complied with relevant notice content requirements if it has complied with or (2) a person or entity who is a non-HIPAA-covered entity subject to the Health Breach Notification Rule promulgated by the Federal Trade Commission pursuant to 42 U.S.C. § 17937 et seq.
The Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Violations by state-chartered or licensed financial institutions must be enforceable by the financial institution’s primary state regulator. Impacted individuals can pursue direct economic damages from violations.
- Code. Ann. §22.1-287.02
US Comprehensive Data Privacy Laws
Virginia Consumer Data Protection Act
Va. Code §§ 59.1-575 to 59.1-585
Entities or persons that conduct business in Virginia or produce or deliver commercial products or services intentionally targeted to Virginia residents and that Control or Process Personal Data of:
- 100,000 Consumers or more during a calendar year; or
- 25,000 or more Consumers and derive over 50% of gross revenue from Personal Data Sales.
Among other exclusions, the VCPDA excludes state and local government entities; institutions of higher education; covered entities and business associates governed by HIPAA; GLBA entities; employment-related data; nonprofit organizations; and data regulated by DPPA, FERPA, and the FCRA.
Covered Entity Obligations:
Controllers. VCPDA Controller duties include obligations to:
- Limit the collection of Personal Data to only that which is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.
- Minimize Processing of Personal Data to purposes that are reasonably necessary and compatible with the disclosed purpose for the Processing unless the Consumer gives Consent.
- Implement reasonable security procedures and practices commensurate with the nature of the
- Personal Data so as to protect its confidentiality, integrity, and availability.
- Not unlawfully discriminate when Processing Personal Data.
- Not discriminate against a Consumer for exercising Personal Data rights.
- Obtain Consumer Consent prior to Processing Sensitive Data, and Process Sensitive Personal Data of a known child in accordance with COPPA.
- Not make any contract or agreement of any kind that purports to waive or limit in any way
- Consumer’s rights under the VCDPA. Such an agreement is contrary to public policy and is void and unenforceable.
- Provide Consumers with a reasonably accessible, clear, and meaningful privacy notice addressing:
- The categories of Personal Data Processed by the Controller;
- The purpose for Processing Personal Data;
- How Consumers may exercise their VCDPA Personal Data rights, including appeals for the treatment of Personal Data rights requests;
- The categories of Personal Data shared with third parties; and
- The categories of third parties with whom Personal Data is shared.
- Provide notice of any Sales to third parties or Processing of a Consumer’s Personal Data for Targeted Advertising, as well as the manner by which a Consumer may opt out of such Sales or Processing.
- Provide Consumers with one or more means to exercise their VCDPA Personal Data rights,
- Comply with individual data subject requests in a timely and efficient manner free of charge, within 45 days from the receipt of a request, up to two times per year.
- Establish and make conspicuously available a process for consumers to appeal the Controller’s refusal to take action on a data subject request. Controllers must respond to appeals within 60 days from the receipt of the appeal and provide the consumer with a mechanism to submit a complaint of denials to the Attorney General.
- Create a binding contract with any Processor regarding the Processing of Personal Data and the procedures being performed by the Processor on behalf of the Controller. The contract must:
- Contain instructions for Processing Personal Data;
- Describe the nature and purpose of Processing;
- Describe the type of Personal Data subject to Processing;
- Set forth the duration of Processing;
- Establish the rights and obligations of the Controller and the Processor; and
- Require the Processor to:
- Ensure each individual Processing Personal Data is subject to a duty of confidentiality with regards to the Personal Data;
- Delete or return all Personal Data at the end of the provision of services at the direction of the Controller unless otherwise required by law;
- Make available all information in its possession necessary to demonstrate Processor compliance with its obligations under the VCDPA upon reasonable request by the Controller;
- Allow and cooperate with reasonable assessments to demonstrate Processor compliance with its obligations, and to provide a report of any such assessment upon Controller request;
- Enter into written agreements with any subcontractors engaged to Process Personal Data which meet the obligations of the Processor.
- Conduct and document a Data Protection Assessment for Processing activities for each of the following activities involving Personal Data:
- Targeted advertising;
- Profiling, where such Profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of or disparate impact on Consumers;
- Financial, physical, or reputational injury to Consumers;
- Intrusion upon solitude, seclusion, or the private affairs or concerns of Consumers where such intrusion would be offensive to a reasonable person;
- Other substantial injury to consumers;
- Sensitive Data Processing; and
- Any Processing activities that present a heightened risk of harm to Consumers.
- Controllers in possession of De-identified Data must:
- Take reasonable measures to ensure the Data cannot be associated with a natural person;
- Publicly commit to maintaining and using De-identified Data without attempting to re-identify the data; and
- Contractually obligate any recipients of the De-identified Data to comply with the VCPDA.
Processors. VCDPA Processor duties include obligations to:
- Adhere to the instructions of a Controller.
- Assist the Controller in meeting its VCDPA obligations, including:
- Reasonably assisting the Controller in responding to Personal Data rights requests.
- Assisting the Controller in meeting its obligations pertaining to Personal Data security and breach notification; and
- Providing necessary information to enable the Controller to conduct and document data protection impact assessments.
Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of PI and SPI, including consumers’:
- Right to know and access Personal Data being collected;
- Right to correct inaccurate Personal Data;
- Right to request deletion of Personal Data;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to opt out of Personal Data sales, Targeting Advertising, and Profiling for decisions producing legal or other significant effects.
- Child: Any natural person younger than 13 years of age.
- Consumer: An individual who is a Virginia resident acting only in an individual or household context; this definition does not include individuals acting in a commercial or employment context.
- Consent: A clear affirmative act signifying a Consumer’s freely given, specific, informed, and unambiguous agreement to Process Personal Data relating to the Consumer. Consent may include a written statement, including electronic statements, or any other unambiguous affirmative action.
- Controller: A natural or legal person that, alone or jointly with others, determines the purposes and means for Processing Personal Data.
- De-identified Data: Data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.
- Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes: De-identified Data and publicly available information (defined as information lawfully made available from federal, state, or local government records, and information that a Controller has a reasonable basis to believe the Consumer has lawfully made available to the general public).
- Process or Processing: Any operation or set of operations performed on Personal Data or sets of Personal Data, including collection, use, storage, disclosure, analysis, deletion, or modification.
- Processor: A natural or legal entity that Processes Personal Data on behalf of a Controller.
- Profiling: Any form of automated Processing of Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The exchange of Personal Data for monetary or other valuable consideration by the Controller to a third party. The VCDPA excludes the following disclosures from this definition: (i) disclosures to a Processor that Processes Personal Data on behalf of the Controller; (ii) disclosures to a third party to fulfil a request made by a Consumer; (iii) disclosures to an affiliate of the Controller; (iv) disclosures of information that the Consumer intentionally made available to the general public via mass media which was not restricted to a specific audience; or (v) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets.
- Sensitive Personal Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship/citizenship status, genetic or biometric data for the purpose of uniquely identifying an individual, Personal Data collected from a known child, or precise geolocation data (within 1,750 feet).
- Targeted Advertising: Displaying advertisements to a Consumer where the advertisement is selected based on Personal Data obtained from that Consumer’s activities over time and across nonaffiliated websites or applications to predict the Consumer’s preferences or interests. The definition excludes (i) advertisements based on activities within the Controller’s own websites or applications; (ii) advertisements based on the Consumer’s current search query or website or application visit; (iii) advertisements directed to a Consumer in response to the Consumer’s request; or (iv) Personal Data Processing done solely for measuring advertising performance, reach, or frequency.
Violations of the VCDPA may be enforced exclusively by the Attorney General. The Attorney General must provide a 30-day cure period by written notice for violations. Violations which have not been adequately cured within the 30-day period may result in an injunction, a $7,500 civil penalty per violation, and reasonable expenses including attorney fees.
January 1, 2023
US Insurance Data Security Statutes
Covered Entities: Applies to insurance carriers, agents, insurance support organizations, or any other person required to be licensed, authorized to operate, or registered pursuant to Virginia’s insurance laws.
Security Standard: Must develop, implement, and maintain a written comprehensive information security program based on the entity’s risk assessment that contains administrative, technical, and physical safeguards appropriate to:
- The size and complexity of the business;
- The nature and scope of the entity’s activities, including its use of third-party service providers; and
- The sensitivity of the nonpublic information used or in the licensee’s possession, custody, or control.
Consumer Notification: A licensee that maintains consumers' nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers.
Regulatory Notification: A licensee shall notify the Virginia Commissioner of Insurance as promptly as possible, but in event no later than 3 business days from a determination that a cybersecurity event has occurred.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Va. Code Ann §§ 38.2-621 – 629
- Consumer: An individual, including, but not limited to, an applicant, policyholder,
insured, beneficiary, claimant, or certificate holder, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person.
- Licensee: Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth, not including a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Information that is not publicly available information and is any of the following:
- Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
- Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (ii) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.
Nonpublic information does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.
A licensee shall notify the Virginia Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Domestic insurance companies;
- Producers whose home state is Virginia;
- Any licensee if the cybersecurity event involves the nonpublic information of at least 250 Virginia residents; or
- Any licensee if federal law or another state’s laws require notice to a government body, self-regulatory agency, or other supervisory body.
When notifying the Virginia Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event;
- A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
- How the cybersecurity event was discovered;
- Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
- The source of the cybersecurity event;
- Whether and on what date the licensee has notified law enforcement, regulatory, or government agencies;
- The types of information acquired without authorization;
- The window of compromise;
- The number of Virginia residents affected by the cybersecurity event;
- The results of any internal review of security measures;
- A description of remediation efforts and new security measures;
- A contact person who is familiar with the cybersecurity event and authorized to act for the licensee; and
- A copy of the notice sent to consumers.
Moreover, licensees have a continuing obligation to update and supplement notice to the Commissioner as new information dictates. In addition, if a cybersecurity event affects a licensee’s third-party service provider, the licensee must provide notice to the Commissioner, unless the third-party service provider does so.
Third-Party Notice Requirements:
Specific third-party notice requirements apply in some situations, including when a licensee is an assuming insurer with no contractual relationship with the affected consumers or the nonpublic information was accessed through an independent insurance producer. See Va. Code 38.2-625(F)-(G) for specific rules.