Recall from Part I of the Primer on Virginia's Data Breach Law that your laptop has been stolen, and you have concluded there has been a breach of security under Virginia's data breach law. You must now determine whom to notify, and this will depend on your relationship to the data. Individuals or entities that own or license the breached computerized data must disclose the breach to the Office of the Attorney General of Virginia and any affected Virginia resident. This disclosure must be done "without unreasonable delay" following discovery or notification of the breach, though delay may be warranted in limited circumstances. However, if a person or entity maintains, but does not own or license, the breached computerized data, the person or entity must disclose the breach to the data’s owner or licensee. This also must be done “without unreasonable delay.” Additionally, if an individual or entity must provide notice to more than 1,000 persons under the data breach statute, he must also notify the Office of the Attorney General of Virginia and the major consumer reporting agencies (Equifax, Experian, and Transunion) of the timing, distribution, and content of the notice.
What information must be provided in the notice of breach? It should include a description of the incident in general terms, the type of personal information compromised, the actions taken to protect the personal information from further unauthorized access, a telephone number to call for further information (if one exists), and advice to remain vigilant by reviewing account statements and monitoring free credit reports. Notice must be provided in writing, telephonically, or electronically, though a substitute notice procedure is available where the cost of providing notice will exceed $50,000, more than 100,000 Virginia residents must be notified, or there is insufficient contact information to provide notice in writing, telephonically, or electronically. Failure to comply with the terms of the data breach statute can lead to civil penalties and potentially to lawsuits from the impacted individuals.
So when that laptop is stolen (or the thumb drive is lost, or server hacked, etc.) one of your top priorities must be determining whether personal information could have been accessed, and if anyone must be notified. Unfortunately, things become even more complicated if persons impacted by the breach are located outside of Virginia. Other states may have different or additional notification requirements, or stricter notification deadlines, than Virginia, and complying with them is equally important.
You must read and accept these terms in order to send us email.
Use of this website for communication does not constitute or create an attorney-client relationship for any legal matter for which we do not already represent you. Please do not send any confidential or privileged information electronically via this website unless we have already agreed to represent you.
If you send us information electronically via this website, you agree that our review of that information, even if you submitted it in a good faith effort to retain us, and, further, even if it is highly confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.