Virginia recently became the 40th state to enact a security breach law, Va. Code Ann. § 18.2-186.6, which becomes effective on July 1, 2008. As with most of these laws, it applies to the improper acquisition of unencrypted computerized data. Virginia adopted the narrower definition of “personal information” since the law applies only to name, in combination with Social Security Number, driver’s license number, state identification number, or a financial account number in combination with a security code or password, as opposed to other states that have included other forms of information in their security breach law.
Virginia adopted a standard that requires notice only if there is a reasonable belief that the breach will cause identity theft or other fraud. In a departure from the majority of states, Virginia permits notice of the breach to be given via telephone, e-mail, or in writing. Virginia also has mandated the form of notice, requiring that the notice:
- Describe the incident in general terms
- Disclose the timing of the incident
- Include telephone assistance numbers
- Describe the actions taken by the entity to ensure the information is protected from further improper acquisition
- Advise individuals whose information has been compromised to be “vigilant” and review account statements and free credit reports
The statute appears to require notice to the Office of the Attorney General even if the information of 1,000 or fewer residents has been breached, and certainly requires notice to the Virginia Attorney General and the consumer reporting agencies if more than 1,000 residents of Virginia are implicated in a breach.
Virginia also amended its Social Security Number and broadened its scope by including many public records within the existing law found at Va. Code Ann. § 59.1-443.2. This amendment also becomes effective on July 1, 2008.