Virginia

State Data Breach Notification Statute

Highlights

Covered Entities: An individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality or any other legal entity, whether for profit or not for profit that owns or licenses computerized data that includes personal information.

Consumer Notification: Notification must be provided to any Commonwealth resident whose “unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth.

Regulatory Notification: Notification must be provided to the Office of the Attorney General when a resident of the Commonwealth is notified of a breach.

Notification Timeline: Notification must be provided “without unreasonable delay.”

Data Format: Electronic.

Citations: Va. Code. Ann. § 18.2-186.6.

More Details

Definitions:

  • Breach: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.
  • Personal Information (PI):
    • An individual’s first name or first initial and last name in combination with and linked to any one or more of the following unencrypted or unredacted data elements:
      • Social Security number;
      • Driver’s license number or state identification card number issued in lieu of a driver’s license number;
      • Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts;
      • Passport number; or
      • Military identification number.
  • Medical Information: Any information regarding an individual’s medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • Health Insurance Information: An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identity the individual, or any information in an individual’s application and claims history, including any appeals records.

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted or redacted, so long as the encryption key was not also acquired thereby rendering the PI readable / usable.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent of an individual or entity for the lawful purposes of the individual or entity.
  • Risk of Harm: Notification is not required if the entity reasonably believes that the breach has not cause and will not cause identity theft or other fraud to any resident of the Commonwealth.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or will impact homeland or nation security.

Direct Notice:

  • Timing: Notification must be provided without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore integrity of the system.
  • Format: N/A
  • Content: Notification letters must include the following:
    • The incident in general terms;
    • The type of personal information that was subject to the unauthorized access and acquisition;
    • The general acts of the individual or entity to protect the personal information from further unauthorized access;
    • A telephone number that the person may call for further information and assistance, if one exists; and
    • Advise that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
  • Method: Notification may be provided (1) in written notice to the last known postal address in the records of the individual or entity; (2) telephone notice; or (3) electronic notice.

Substitute Notice:

An individual or entity may provide substitute notice if (1) the cost of providing notice will exceed $50,000, (2) the notification population exceeds 100,000 residents, or (3) the individual or entity does not have sufficient contact information or consent to provide notice. Substitute notice must include: (1) Email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage; and (3) notice to statewide media.

Remediation Services:

N/A  

Regulatory Notice:

Notification must be provided to the Office of the Attorney General where a Commonwealth resident requires notification.

Any employer or payroll service providers that owns or licenses computerized data relating to income tax must notify the Office of the Attorney General without unreasonable delay after discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. For employers, the notification obligations only applies to information relating to its employees.

Credit Reporting Agencies Notice:

If an individual or entity provides notice to more than 1,000 persons, the individual or entity must notify, without unreasonably delay, all consumer reporting agencies of the timing, distribution, and content of the notice.

Third-Party Notice:

An individual of entity that maintains computerized data including PI that the individual or entity does not own or license must notify the owner or licensee of the PI of the “breach” without unreasonable delay following discovery.

HIPAA:

The notification requirements for incidents involving medical information do not apply to (1) a person or entity who is a “covered entity” or “business associate” for purposes of the Health Insurance Portability and Accountability Act will be deemed to have complied with relevant notice content requirements if it has complied with or (2) a person or entity who is a non-HIPAA-covered entity subject to the Health Breach Notification Rule promulgated by the Federal Trade Commission pursuant to 42 U.S.C. § 17937 et seq.

Private Action:

The Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Violations by state-chartered or licensed financial institutions must be enforceable by the financial institution’s primary state regulator. Impacted individuals can pursue direct economic damages from violations.

Associated Regulations:

  • Insurance Data Security (Va. Code Ann. §§ 38.2-621 - 38.2-629)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Va. Code. Ann. §22.1-287.02

US Comprehensive Data Privacy Laws

Virginia Consumer Data Protection Act

Va. Code §§ 59.1-575 to 59.1-585

Highlights

Applicability:

VCDPA applied to persons that conduct business in Virginia or produce products or services intentionally targeted to Virginia residents and that control or process personal data of:

  • 100,000 consumers or more during a calendar year; or
  •  25,000 or more consumers and derive over 50% of gross revenue from the sale of personal data.

Among other exclusions, the VCPDA excludes state and local government entities; institutions of higher education; covered entities, business associates, and related data governed by HIPAA and HITECH; financial institutions and related data governed by GLBA; employment-related data; nonprofit organizations; and data regulated by DPPA, FERPA, and the FCRA. Controllers and processors in compliance with COPPA are deemed compliant with parental consent obligations.

Covered Entity Obligations:

Controllers. VCPDA controller duties include obligations to:

  • Limit the collection of personal data to only that which is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.
  • Minimize Processing of personal data to purposes that are reasonably necessary and compatible with the disclosed purpose for the processing unless the consumer gives consent.
  • Implement reasonable security procedures and practices commensurate with the nature of the personal data so as to protect its confidentiality, integrity, and availability.
  • Not unlawfully discriminate when processing personal data.
  • Not discriminate against a consumer for exercising personal data rights.
  • Obtain consumer consent prior to processing sensitive data, and process sensitive personal data of a known child in accordance with COPPA.
  • Not make any contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under the VCDPA. Such an agreement is contrary to public policy and is void and unenforceable.
  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice addressing:
    • The categories of personal data processed by the controller;
    • The purpose for processing personal data;
    • How do consumers may exercise their VCDPA personal data rights, including appeals for the treatment of personal data rights requests;
    • The categories of personal data shared with third parties; and
    • The categories of third parties with whom personal data is shared.
  • Provide notice of any sales to third parties or processing of a consumer’s personal data for targeted advertising, as well as the manner by which a consumer may opt out of such sales or processing.
  • Provide consumers with one or more means to exercise their VCDPA personal data rights,
  • Comply with individual data subject requests in a timely and efficient manner free of charge, within 45 days from the receipt of a request, up to two times per year.
  • Establish and make conspicuously available a process for consumers to appeal the controller’s refusal to take action on a data subject request. Controllers must respond to appeals within 60 days from the receipt of the appeal and provide the consumer with a mechanism to submit a complaint of denials to the Attorney General.
  • Create a binding contract with any processor regarding the processing of personal data and the procedures being performed by the processor on behalf of the controller. The contract must:
    • Contain instructions for processing personal data;
    • Describe the nature and purpose of processing;
    • Describe the type of personal data subject to processing;
    • Set forth the duration of processing;
    • Establish the rights and obligations of the controller and the processor; and
    • Require the processor to:
      • Ensure each individual processing personal data is subject to a duty of confidentiality with regards to the personal data;
      • Delete or return all personal data at the end of the provision of services at the direction of the controller unless otherwise required by law;
      • Make available all information in its possession necessary to demonstrate processor compliance with its obligations under the VCDPA upon reasonable request by the controller;
      • Allow and cooperate with reasonable assessments to demonstrate processor compliance with its obligations, and to provide a report of any such assessment upon controller request;
      • Enter into written agreements with any subcontractors engaged to process personal data which meet the obligations of the processor.
  • Conduct and document a Data Protection Assessment for processing activities for each of the following activities involving personal data:
    • Targeted advertising;
    • Profiling, where such profiling presents a reasonably foreseeable risk of:
      • Unfair or deceptive treatment of or disparate impact on consumers;
      • Financial, physical, or reputational injury to Consumers;
      • Intrusion upon solitude, seclusion, or the private affairs or concerns of consumers where such intrusion would be offensive to a reasonable person;
      • Other substantial injury to consumers;
    • Sensitive data processing; and
    • Any processing activities that present a heightened risk of harm to consumers.
  • Controllers in possession of de-identified data must:
    • Take reasonable measures to ensure the data cannot be associated with a natural person;
    • Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
    • Contractually obligate any recipients of the de-identified data to comply with the VCPDA.
  • Controllers and processors that operate social media platforms must use commercially reasonable methods to determine whether a user is a minor and limit a minor's use of the platform to one hour per day, per service or application, and allow a parent to give verifiable parental consent to increase or decrease the daily time limit. Information collected for the purpose of determining a user's age shall not be used for any purpose other than age determination and provision of age-appropriate experiences.

Processors. VCDPA processor duties include obligations to:

  • Adhere to the instructions of a controller.
  • Assist the controller in meeting its VCDPA obligations, including:
    • Reasonably assisting the controller in responding to personal data rights requests.
    • Assisting the controller in meeting its obligations pertaining to personal data security and breach notification; and
    • Providing necessary information to enable the controller to conduct and document data protection impact assessments.
  • Enter into written agreements with any subcontractors engaged to process personal data which meet the obligations of the processor.
  •  Adhere to the social media platform requirements (see above).

Consumer Rights:

Controllers must respond without undue delay and within 45 days of receipt of a verified consumer request invoking or more of the following consumer rights .

  • Right to know whether personal data is being collected and to access that personal data;
  • Right to correct inaccurate personal data;
  • Right to request deletion of personal data;
  • Right to obtain a copy of the personal data in a format that is generally portable, readily usable, and transmittable; and
  • Right to opt out of personal data sales, targeting advertising, and profiling for decisions producing legal or other significant effects concerning the consumer.

More Details

Definitions:

  • Child: Any natural person younger than 13 years of age.
  • Consumer: A natural person who is a Virginia resident acting only in an individual or household context and not in a commercial or employment context.
  • Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including electronic statements, or any other unambiguous affirmative action.
  • Controller: A natural or legal person that, alone or jointly with others, determines the purposes and means for processing personal data.
  • De-identified Data: Data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.
  • Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal data excludes: de-identified data or publicly available information (defined as information lawfully made available to the public through federal, state, or local government records, and information that a controller has a reasonable basis to believe is lawfully attainable to the general public through widely distributed media, by the consumer or by a person to whom the consumer disclosed the information.
  • Process or Processing: Any operation or set of operations performed on personal data or sets of personal data, including collection, use, storage, disclosure, analysis, deletion, or modification.
  • Processor: A natural or legal entity that processes personal data on behalf of a controller.
  • Profiling: Any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration by the controller to a third party. The VCDPA excludes the following disclosures from this definition: (i) disclosures to a processor that processes personal data on behalf of the controller; (ii) disclosures to a third party for purposes of providing a product or service requested by the consumer; (iii) disclosure or transfer to an affiliate of the controller; (iv) disclosure of information that the consumer intentionally made available to the general public via mass media and did not restricted to a specific audience; or (v) disclosure or transfer to a third party that is an asset in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
  • Sensitive Data: Personal data revealing: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, processing of genetic or biometric data for the purpose of uniquely identifying a natural person, personal data collected from a known child, or precise geolocation data (within 1,750 feet).
  • Social Media Platform: a public or semipublic Internet-based service or application that has users in Virginia that connects users to interact socially and allows users to: construct a profile for purposes of signing into and using the service or application; populate a public list of other users with whom the user shares a social connection; and create or post content viewable by other users, including content on message boards, in chat rooms, or through a landing page or main feed that presents content generated by other users.
  • Targeted Advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that Consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests. The definition excludes (i) advertisements based on activities within the controller’s own websites or online applications; (ii) advertisements based on the consumer’s current search query or website or online application visit; (iii) advertisements directed to a consumer in response to the consumer’s request for information or feedback; or (iv) personal data processing done solely for measuring or reporting advertising performance, reach, or frequency.

Penalties:

Violations of the VCDPA may be enforced exclusively by the Attorney General. The Attorney General must provide a 30-day cure period by written notice for violations. Violations determined to not have been adequately cured within the 30-day period may result in an injunction, a $7,500 civil penalty per violation, and reasonable expenses including attorney fees.

Private Action:

No

Associated Regulations:

N/A

Effective Date:

January 1, 2023 (revisions effective January 1, 2026)

Insurance Data Security Statute

Highlights

Covered Entities: Applies to any individual or nongovernmental entity licensed, authorized to operate, or registered, or required to be licensed, authorized to operate, or registered pursuant to Virginia’s insurance laws.

Security Standard: Each licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s assessment of risk that contains administrative, technical, and physical safeguards commensurate with:

  • The size and complexity of the licensee;
  • The nature and scope of the licensee’s activities, including its use of third-party service providers; and
  • The sensitivity of the nonpublic information used or in the licensee’s possession, custody, or control.

Consumer Notification: A licensee must notify consumers of any Cybersecurity Event without unreasonable delay after making a determination or receiving notice that the Cybersecurity Event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud.

Regulatory Notification: A licensee shall notify the Virginia Commissioner of Insurance as promptly as possible, but in event no later than 3 business days from a determination that a cybersecurity event has occurred.

Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.

Citations: Va. Code Ann §§ 38.2-621 – 629

More Details

Definitions:

  • Authorized Person: A person known to and authorized by the Llicensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

  • Consumer: An individual, including, but not limited to, an applicant, policyholder,
    insured, beneficiary, claimant, or certificate holder, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.
  • Cybersecurity Event: An event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. Cybersecurity event does not include (1) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
  • Licensee: Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth, not including a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
  • Nonpublic Information: Information that is not publicly available information and is any of the following:
    • Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;
    • Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer's (i) social security number; (ii) driver's license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer's financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or
    • Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family; (ii) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.

Nonpublic information does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.

Consumer Notice: 

A licensee shall notify consumers of any cybersecurity event without unreasonable delay after making a determination or receiving notice that the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers.

Consumer Notice Content Requirements:

A licensee shall notify consumers without unreasonable delay and shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. Such notice shall include a description of the following:

  • The incident in general terms;
  • The type of nonpublic information that was subject to the unauthorized access and acquisition;
  • The general acts of the licensee to protect the consumer’s nonpublic information from further unauthorized access;
  • A telephone number that the consumer may call for further information and assistance, if one exists; and
  • Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer’s credit reports.

Substitute notice may be provided if the licensee demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice.

Regulatory Notice:

A licensee shall notify the Virginia Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event has occurred:

  • The licensee is a domestic insurance company or, in the case of a producer, Virginia is the licensee’s home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or
  • The licensee reasonably believes that the nonpublic information involved is of 250 or more Virginia residents; or
  • The license is required under federal law or another state’s laws to provide notice of the cybersecurity event to any government body, self-regulatory agency, or other supervisory body.

Regulatory Notice Content Requirements:

When notifying the Virginia Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:

  • The date of the cybersecurity event;
  • A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
  • How the cybersecurity event was discovered;
  • Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
  • The identity of  the source of the cybersecurity event;
  • Whether and on what date the licensee has notified law enforcement, regulatory, or government agencies;
  • The types of information acquired without authorization;
  • The window of compromise;
  • The number of Virginia residents affected by the cybersecurity event;
  • The results of any internal review of security measures;
  • A description of remediation efforts and new security measures;
  • A copy of the licensee’s consumer privacy policy and a statement outlining the steps the licensee will take to investigate and notify affected consumers;
  • A contact person who is familiar with the cybersecurity event and authorized to act for the licensee; and
  • A copy of the notice sent to consumers.

Licensees have a continuing obligation to update and supplement notice to the Commissioner as new information dictates. In addition, iIf a cybersecurity event affects a licensee’s third-party service provider, the licensee must provide notice to the Commissioner, unless the third-party service provider does so.

Other Notice: 

If a licensee provides notice to more than 1,000 consumers at one time, the licensee must also notify, without unreasonable delay, all consumer reporting agencies.

Third-Party Notice Requirements:

Specific third-party notice requirements apply in some situations, including when a licensee is an assuming insurer with no contractual relationship with the affected consumers or the nonpublic information was accessed through an independent insurance producer. See Va. Code 38.2-625(F)-(G) for specific rules.

Penalties:

N/A

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek