Overview. Governor Terry McAuliffe of Virginia has signed into law legislation (HB 2113) relating to a notification requirement for breach of payroll data.
The law requires any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld to notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, the legislation only applies to information regarding the employer’s employees and does not apply to information regarding the employer’s customers or other non-employees.
Effective Date. July 1, 2017
Details. The legislation requires the employer or payroll service provider to provide the Office of the Attorney General with the following information:
1. The incident in general terms;
2. The type of personal information that was subject to the unauthorized access and acquisition;
3. The general acts of the individual or entity to protect the personal information from further unauthorized access;
4. A telephone number that the person may call for further information and assistance, if one exists; and
5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
HB 2113 defines "Personal information" as the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:
1. Social security number;
2. Driver's license number or state identification card number issued in lieu of a driver's license number; or
3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.
The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
"Redact", under HB 2113 means alteration or truncation of data such that no more than the following are accessible as part of the personal information:
1. Five digits of a social security number; or
2. The last four digits of a driver's license number, state identification card number, or account number.
Call to Action. Employers and payroll service providers, that own or license computerized data relating to income tax withheld, will need to be prepared to notify the Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of data as described in HB 2113.
Additional details of HB 2113 can be reviewed here.
If you have any questions regarding this article, please contact your Relationship Manager or Service Team.