New Data Breach Disclosure Law Takes Effect in Virginia

On July 1, 2008, Virginia joined more than 40 other states that have enacted legislation designed to encourage businesses and government agencies to improve their security measures to protect against identity theft from access to their computerized records containing personal information. This new law, Va. Code § 18.2-186.6, provides that companies are now required to provide notice to affected individuals (and to the Virginia Attorney General) whenever there is any breach of their computerized, unredacted and unencrypted records containing personal information, if the breach will cause or is reasonably believed to cause identify theft or other fraud. Violators of this new law are subject to civil suit by affected individuals and penalties imposed by the Virginia Attorney General of up to $150,000 per breach.

Given the security risks created by the loss and/or theft of laptops and PDAs, and the risks associated with the improper and unauthorized access to computer databases and other security breaches, companies operating in Virginia should evaluate their operations to determine if they maintain computerized information that might trigger a disclosure notification under this new law. Records maintained by human resource departments should be carefully assessed.

Unlike some states, the new Virginia law does not require notification every time there is reason to believe that computer information has been acquired by an unauthorized party. Instead, notice to affected individuals who reside in Virginia is only required when it is reasonable to believe that the breach will cause harm to the individual. This new law is designed to protect "personal information" that is maintained as part of a database that includes multiple individuals in an unencrypted and unredacted state. The statute specifically exempts "good faith acquisition" by an employee or agent of the business for a business purpose as long as the information is not used for other than a lawful purpose or is not subject to a further unauthorized disclosure. Thus, requests for information by third parties, by subpoena or otherwise, must be carefully evaluated.

"Personal information" is defined by this new Virginia statute to mean the first name or initial and last name of an individual, combined with or linked to any of the following elements related to that individual who is a Virginia resident: (i) social security number, (ii) driver's license or state identification card number or (iii) a financial account number, credit card or debit card number, along with either the required security code, access code or password that would permit access to the financial records. Excluded is information lawfully obtained from publicly available information, or from local, state or federal government records made available to the general public. If a breach occurs and notice is required, the Virginia statute does allow the company a reasonable opportunity to determine the scope of the breach and to restore the integrity of the system before sending out the notice of a breach. There is also a provision that allows notice to be delayed in order to permit cooperation with local law enforcement authorities.

For all businesses, this new law places a priority on identifying those databases that contain "personal information" that could trigger a notice obligation in the event of a breach. To the extent that such databases exist, consideration should be given to whether the data contained therein can either be encrypted or redacted in a way that avoids the necessity for having to make a notice disclosure in the event of a breach. For more information on this or other privacy issues, please feel free to contact W. David Paxton, david_paxton@gentrylocke.com, 540.983.9334, or any other member of Gentry Locke's Labor and Employment Team.