Featured Publications

Hospitality Industry: Mediation of Golf Industry Disputes Alert - January 31, 2012

Golf clubs and their developers, owners, builders, operators, managers and members are still taking their disputes to court to duke, or "club" it out. This trend continues even when there are readily available options to full-blown litigation, such as alternative dispute resolution (ADR).

More

Financial Institutions: Alert - January 31, 2012

The Dodd-Frank Wall Street Reform and Consumer Protection Act impacted many investment advisers who previously were not registered.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Labor, Employment and Benefits
Newsletter - October 2008
 
In this Issue...
Virginia – Legislature Enacts Data Breach Notification Law
 
 October 22, 2008
 
Jonathan E. "Jon" O'Connell- Northern Virginia

Recently, Virginia joined the majority of states across the country that have enacted data breach notification statutes. The new law, which became effective on July 1, 2008, is aimed at protecting residents of the Commonwealth by minimizing the risk of identity theft resulting from the unauthorized acquisition of personal information.

Notice
A business that owns or licenses computerized data that believes unencrypted personal information (as defined in the statute) has been accessed by an unauthorized person must disclose the breach to the Office of the Attorney General, as well as to affected Virginia residents, if the business believes the unauthorized access will result in identity theft or fraud. (It is recommended that an employer exercise great care before declining to provide notice of a breach based on a belief that it will not result in identity theft or fraud.) The statute allows for several means of providing notice to residents, including written, telephonic, electronic, and under certain circumstances, “substitute” notice. While the statute does not set forth a specific time period within which a business must provide the notification, it must do so “without unreasonable delay.” But a business may delay notification if a law enforcement agency advises it that the notice will hinder a criminal or civil investigation, or jeopardize homeland or national security.

Penalties
The Virginia attorney general is authorized to bring actions against businesses that violate the statute. The attorney general may seek civil penalties of up to $150,000 per breach for which proper notification is not given. Additionally, individuals may recover their own direct economic damages resulting from a violation of the statute.

Virginia and Non-Virginia Businesses Must Comply

Similar to legislation passed in other states, Virginia’s data breach notification law protects any affected resident. Thus, a business that does not have any physical operations within the Commonwealth of Virginia, but maintains the personal information of Virginia residents, is obligated to comply with the law’s requirements. Accordingly, businesses maintaining personal information of Virginia residents should advise their management and IT professionals of this new legislation, regardless of whether they have operations within the Commonwealth.

For more information, contact:

Jonathan O’Connell
703.720.8063
jonathan.oconnell@hklaw.com
toll free: 1.888.688.8500

Related Practices