Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a [Virginia] taxpayer’s identification number in combination with the income tax withheld for that taxpayer. . . .”
The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law. Notification is required only when the employer or payroll service provider discovers a breach, and the employer or payroll service provider reasonably believes that the breach is causing, has caused, or will cause identity theft or fraud.
Covered businesses must notify the Virginia Office of the Attorney General of a breach “without unreasonable delay.” A delay in notification is “reasonable” in order to investigate and remediate the breach or if due to a request from law enforcement or national security authorities to support a criminal or civil investigation.
Importantly, the Virginia Attorney General’s enforcement powers under the statute include the ability to bring an action to address violations of the statute and to impose a civil penalty of up to $150,000 per breach event. However, the Virginia Attorney General’s enforcement powers do not limit individuals’ right to bring a private action and recover monetary damages against an entity that violates the statute.
A copy of the statute, as amended, can be found here.
 Va. Code Ann. § 18.2-186.6(A). (West 2017).