Overview. Virginia Governor Terry McAuliffe has signed into law HB 2113, amending its existing data breach notification law.
Effective Date. July 1, 2017.
Overview. Virginia’s existing data breach notification law contains a provision requiring individuals or entities who have notified more than 1,000 persons of a data breach pursuant to the law, to also notify the state Attorney General. HB 2113’s amendments require any employer or payroll service provider to notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. The new provision specifically reads:
M. Notwithstanding any other provision of this section, any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld pursuant to Article 16 (§ 58.1-460 et seq.) of Chapter 3 of Title 58.1 shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this subsection applies only to information regarding the employer's employees, and does not apply to information regarding the employer's customers or other non-employees.
Such employer or payroll service provider shall provide the Office of the Attorney General with the name and federal employer identification number of the employer as defined in § 58.1-460 that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Office of the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.
Under the existing law, the Office of the Attorney General must be provided with the following information:
(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and
acquisition;
(3) The general acts of the individual or entity to protect the personal information from
further unauthorized access;
(4) A telephone number that the person may call for further information and assistance, if
one exists; and
(5) Advice that directs the person to remain vigilant by reviewing account statements and
monitoring free credit reports.
Amendments to the law require that the notification also include the name and Federal Employer Identification Number (FEIN) of the employer that may be affected by the compromise in confidentiality.
As always, please reach out to your Relationship Manager or Service Team, for more information about the topics covered in this Alert.