By: Spencer Allen,
More than four-billion data records were stolen worldwide in 2016. In 2014 alone, nearly half (47%) of U.S. adults had their personal information stolen. Though it is the big hacks that make the news- Yahoo (3 billion), Equifax (143 million), Verizon (6 million)—small and local businesses are no less vulnerable to data breach, and need to be ready to respond quickly when a breach happens.
Virginia law requires businesses to notify affected parties in certain situations where personal data is compromised. Failure to give proper notice can be expensive—up to $150,000 per breach. This article is intended to help Virginia businesses comply with mandatory notification procedures following a data breach.
I. What sorts of breaches require giving notice?
Virginia Code § 18.2-186.6 requires that companies give notice when each of five criteria are met: 1) unencrypted or unredacted; 2) personal information; 3) is accessed or acquired by an unauthorized person (or reasonably believed to have been accessed or acquired by an unauthorized person); 4) which causes identity theft or another fraud (or is reasonably believed to have caused or cause in the future identity theft or another fraud); 5) to any resident of Virginia. Each of the five criteria must be analyzed to determine whether notice is required.
- “Unencrypted or unredacted”
“Encrypted” data is data that has been “scrambled” by an algorithmic process. Though the precise way in which data is encrypted depends on the kind of data and the way in which the data is stored and sent, the basic idea is that an algorithm makes the data unreadable without a specific key (or series of keys).
For example, imagine that we apply an algorithm that subtracts one from each number. If we apply the algorithm to an unencrypted number—4765—we arrive at an encrypted number of 3654. In this example we have no way of knowing that the unencrypted number is 4765 unless we have the key—that is, unless we know the algorithm. Without knowing the algorithm, the unencrypted number could be anything, and there is a low probability that we could figure it out by chance.
“Redacted” data is data for which identifying information or confidential information has been removed, and is thus not tied to a particular person or entity. For example, imagine you come across a detailed medical record with no name attached. That data is considered “redacted” because without the identifying information the data is useless for anyone who would seek to exploit it. The data merely shows that someone, somewhere in the world has that medical history.
Basically, this first criteria for data that triggers mandatory notification is that it must be useable. The person who steals or otherwise acquires the data must be able to actually read what it says, and pair the data to particular persons or entities. If compromised data remains encrypted or is redacted, notification is not required by VA § 18.2-186.6.
- “Personal information”
- The first name or first initial
- The last name
- In combination with or linked to any of the following:
- More than five digits of a social security number
- More than the last 4 digits of a driver’s license number or state identification card number
- More than the last four digits of a financial account number or credit card or debit card number in combination with any required security code, access code, or password that would permit access to the person’s financial accounts.
If the data that is stolen or compromised does not contain all three of the above, notice is not mandatory.
- Accessed or acquired by an unauthorized person (or reasonably believed to have been accessed or acquired by an unauthorized person)
Importantly, the statute does not require the data to have actually been stolen. A company must comply with mandatory notice even if the company only has a reasonable belief that the data has been accessed or acquired by an unauthorized person. “Reasonable belief” is subject to the court’s discretion. The issue of reasonable belief as it relates to this statute has never been brought to trial, and thus it is better to err on the side of caution whenever a data breach is suspected.
- “Which causes identity theft or another fraud (or the individual or entity reasonable believes has caused or will cause identity theft or another fraud)
This part of the statute holds that mandatory notice is only triggered when an unauthorized person who receives personal data intends to misuse the data or actually misuses the data. Just like the access requirement, actual identity theft or fraud does not have to occur to trigger mandatory notice, all that is required is a reasonable belief that identity theft or fraud has or will occur. This allows effected parties to be notified as soon as possible—and hopefully before damage has been done. Again, as with access, if personal data is stolen it is best to err on the side of caution and assume that the data will be used for identity theft or fraud. Virginia crimes involving fraud are codified in Chapter 6 of Title 18.2 of the Code of Virginia.
This part of the statute is important because it creates a carve-out so that accidental “good faith” breaches do not trigger mandatory notification. For example, imagine that a business owner’s mother-in-law, while snooping on her computer, opens a file called “business records.” The file contains all of the transaction information from the business, including credit card numbers and personal information of customers. Without criteria four, this would trigger mandatory notification because 1) unencrypted; 2) personal information; was 3) accessed by an unauthorized person. However, because the business owner (hopefully) can trust that her mother-in-law will not use the information to commit fraud, this sort of breach does not trigger mandatory notification. The breach neither caused identity theft or fraud, nor would a person reasonably suspect that identity theft had or would happen.
- “To any resident of Virginia”
Importantly, mandatory notice does not apply to persons or entities who are not residents of Virginia. However, forty-eight states have mandatory disclosure statutes similar to the one in Virginia (all but Alabama and South Dakota). If personal data concerning a resident of a state other than Virginia has been compromised, it is important to check the laws of that state to determine whether notice is required. For a complete list of similar state statutes, refer to appendix.
II. What happens if no notice is given?
If a company fails to give notice when it is required, the Attorney General may bring an action against it for up to $150,000 per breach. 
III. To Whom Must Notice be Given, When, and What Must it Include?
If a data breach has occurred and it satisfies the above criteria, notice must be given “without unreasonable delay” following the discovery of the breach. If the data is owned or licensed by the company where the breach occurred, notice must be given to 1) the Attorney General of Virginia; and 2) any resident of Virginia affected by the breach.
Notice may be delayed if, after notifying a law enforcement agency, that agency determines that notification would impede a criminal or civil investigation, or homeland or national security.
If the company where the breach occurred does not own or license the data that was compromised, that company must notify the owner or licensee of the data “without unreasonable delay” following discovery of the breach.
- Notice to the Attorney General
Notice to the Attorney General of Virginia must include:
- A cover letter on official letterhead notifying the VA Attorney General of the breach
- Approximate date of the incident and how the incident was discovered
- The cause of the breach
- The number of Virginia residents affected by the breach
- The steps taken to remedy the breach; and
- A sample of the notification made to the affected parties, to include any possible offers of free credit monitoring.
Notice to the Attorney General may be addressed to:
Computer Crime Section
Virginia Attorney General’s Office
202 North 9th Street
Richmond, Virginia 23219
- Notice to affected persons
Notice to affected persons must include:
- A description of the incident in general terms
- The type of personal information that was accessed by the unauthorized person
- A description of what the company has done to prevent further unauthorized access
- A telephone number that the person may call for further information and assistance, if one exists; and
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
Notice to affected persons may be: 1) written to the last known postal address of the person in the records of the company where the breach occurred; 2) telephone notice; or 3) Electronic notice.
If the cost of providing notice exceeds $50,000, or the number of Virginia residents to be notified is more than 100,000, or the company where the breach occurred does not have adequate contact information or consent to use the contact information, substitute notice can be used. Substitute notice includes:
- E-mail notice
- Conspicuous posting of the notice on the company website of the individual or the company
- Notice to major statewide media
APPENDIX: A List of State Notice Statutes
|Alaska||Alaska Stat. § 45.48.010 et seq.|
|Arizona||Ariz. Rev. Stat. § 18-545|
|Arkansas||Ark. Code §§ 4-110-101 et seq.|
|California||Cal. Civ. Code §§ 1798.29, 1798.82|
|Colorado||Colo. Rev. Stat. § 6-1-716|
|Connecticut||Conn. Gen Stat. §§ 36a-701b, 4e-70|
|Delaware||Del. Code tit. 6, § 12B-101 et seq.|
|Florida||Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)|
|Georgia||Ga. Code §§ 10-1-910, -911, -912; § 46-5-214|
|Hawaii||Haw. Rev. Stat. § 487N-1 et seq.|
|Idaho||Idaho Stat. §§ 28-51-104 to -107|
|Illinois||815 ILCS §§ 530/1 to 530/25|
|Indiana||Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.|
|Iowa||Iowa Code §§ 715C.1, 715C.2|
|Kansas||Kan. Stat. § 50-7a01 et seq.|
|Kentucky||KRS § 365.732, KRS §§ 61.931 to 61.934|
|Louisiana||La. Rev. Stat. §§ 51:3071 et seq.|
|Maine||Me. Rev. Stat. tit. 10 § 1346 et seq.|
|Maryland||Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308|
|Massachusetts||Mass. Gen. Laws § 93H-1 et seq.|
|Michigan||Mich. Comp. Laws §§ 445.63, 445.72|
|Minnesota||Minn. Stat. §§ 325E.61, 325E.64|
|Mississippi||Miss. Code § 75-24-29|
|Missouri||Mo. Rev. Stat. § 407.1500|
|Montana||Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq., 33-19-321|
|Nebraska||Neb. Rev. Stat. §§ 87-801 et seq.|
|Nevada||Nev. Rev. Stat. §§ 603A.010 et seq., 242.183|
|New Hampshire||N.H. Rev. Stat. §§ 359-C:19 et seq.|
|New Jersey||N.J. Stat. § 56:8-161 et seq.|
|New Mexico||2017 H.B. 15, Chap. 36 (effective 6/16/2017)|
|New York||N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208|
|North Carolina||N.C. Gen. Stat §§ 75-61, 75-65|
|North Dakota||N.D. Cent. Code §§ 51-30-01 et seq.|
|Ohio||Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192|
|Oklahoma||Okla. Stat. §§ 74-3113.1, 24-161 to -166|
|Oregon||Oregon Rev. Stat. §§ 646A.600 to .628|
|Pennsylvania||73 Pa. Stat. §§ 2301 et seq.|
|Rhode Island||R.I. Gen. Laws §§ 11-49.3-1 et seq.|
|South Carolina||S.C. Code § 39-1-90|
|Tennessee||Tenn. Code §§ 47-18-2107; 8-4-119|
|Texas||Tex. Bus. & Com. Code §§ 521.002, 521.053|
|Utah||Utah Code §§ 13-44-101 et seq.|
|Vermont||Vt. Stat. tit. 9 §§ 2430, 2435|
|Virginia||Va. Code §§ 18.2-186.6, 32.1-127.1:05|
|Washington||Wash. Rev. Code §§ 19.255.010, 42.56.590|
|West Virginia||W.V. Code §§ 46A-2A-101 et seq.|
|Wisconsin||Wis. Stat. § 134.98|
|Wyoming||Wyo. Stat. §§ 40-12-501 et seq.|
|District of Columbia||D.C. Code §§ 28- 3851 et seq.|
|Guam||9 GCA §§ 48-10 et seq.|
|Puerto Rico||10 Laws of Puerto Rico §§ 4051 et seq.|
|Virgin Islands||V.I. Code tit. 14, §§ 2208, 2209|
 Herb Weisbaum, More Than 4 Billion Data Records Were Stolen Globally in 2016, NBC (Oct. 31, 2017, 10:43 AM), https://www.nbcnews.com/storyline/hacking-in-america/more-4-billion-data-records-were-stolen-globally-2016-n714066.
 Jose Pagliery, Half of American Adults Hacked This Year, CNN tech, (Oct. 31, 2017, 10:47 AM), http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/index.html.
 Matt Burgess, That Yahoo Data Breach Actually Hit Three Billion Accounts, Wired (Oct. 31, 2017, 10:51 AM), http://www.wired.co.uk/article/hacks-data-breaches-2017; Chris Morris, 14 Million US Businesses Are at Risk of a Hacker Threat, CNBC (Oct. 31, 2017, 10:53 AM), https://www.cnbc.com/2017/07/25/14-million-us-businesses-are-at-risk-of-a-hacker-threat.html.
 Va Code Ann. § 18.2-186.6 (2017).
 § 18.2-186.6 (I)
 § 18.2-186.6 (B).
 Lee Bell, Encryption Explained: How Apps and Sites Keep Your Private Data Safe (and Why That’s Important), Wired, (Oct. 31, 2017, 11:18 AM), http://www.wired.co.uk/article/encryption-software-app-private-data-safe
 Rick Borstein, Redaction in a Digital World, Law Practice Today (Oct. 31, 2017, 11:39 AM), https://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/july11/redaction_in_a_digital_world.html.
 § 18.2-186.6 (A).
 § 18.2-186.6 (B)
 The only record of § 18.2-186.6 being brought before a court is in regards to a private suit. The case was dismissed for lack of standing. Corona v. Sony Pictures Entm’t, Inc., 2015 U.S. Dist. LEXIS 85865 (C.D. Cal. 2015).
 § 18.2-186.6 (B).
 § 18.2-186.6 (B).
 Va Code Ann. § 18.2-168-246.15 (2017).
 § 18.2-186.6 (B).
 § 18.2-186.6 (B).
 Refer to Appendix.
 § 18.2-186.6 (I).
 Supra note 17.
 § 18.2-186.6 (B).
 Office of the Attorney General of Virginia, Database Breach Notification Requirements Updated July 1, 2017 (2017), https://www.oag.state.va.us/CCSWEB2/files/Data_Breach_Notification_Req.pdf.
 § 18.2-186.6 (A).
Image Source: https://www.wsj.com/articles/should-the-u-s-require-companies-to-report-breaches-1506254402.