06/04/2014 by Blake R. Christopher
Recall from Part I of the Primer on Virginia’s Data Breach Law that your laptop has been stolen, and you have concluded there has been a breach of security under Virginia’s data breach law. You must now determine whom to notify, and this will depend on your relationship to the data. Individuals or entities that own or license the breached computerized data must disclose the breach to the Office of the Attorney General of Virginia and any affected Virginia resident. This disclosure must be done “without unreasonable delay” following discovery or notification of the breach, though delay may be warranted in limited circumstances. However, if a person or entity maintains, but does not own or license, the breached computerized data, the person or entity must disclose the breach to the data’s owner or licensee. This also must be done “without unreasonable delay.” Additionally, if an individual or entity must provide notice to more than 1,000 persons under the data breach statute, he must also notify the Office of the Attorney General of Virginia and the major consumer reporting agencies (Equifax, Experian, and Transunion) of the timing, distribution, and content of the notice.
What information must be provided in the notice of breach? It should include a description of the incident in general terms, the type of personal information compromised, the actions taken to protect the personal information from further unauthorized access, a telephone number to call for further information (if one exists), and advice to remain vigilant by reviewing account statements and monitoring free credit reports. Notice must be provided in writing, telephonically, or electronically, though a substitute notice procedure is available where the cost of providing notice will exceed $50,000, more than 100,000 Virginia residents must be notified, or there is insufficient contact information to provide notice in writing, telephonically, or electronically. Failure to comply with the terms of the data breach statute can lead to civil penalties and potentially to lawsuits from the impacted individuals.
So when that laptop is stolen (or the thumb drive is lost, or server hacked, etc.) one of your top priorities must be determining whether personal information could have been accessed, and if anyone must be notified. Unfortunately, things become even more complicated if persons impacted by the breach are located outside of Virginia. Other states may have different or additional notification requirements, or stricter notification deadlines, than Virginia, and complying with them is equally important.