Virginia
| Data Breach Law (Designated by Statutory Number) | |
|---|---|
| CITATION | Va. Code § 18.2-186.6, § 32.1-127.1:05 |
| ENACTED | 2008 |
| SUMMARY | If unencrypted or un-redacted personal information is believed to have been accessed and acquired by an unauthorized person, or the individual or entity reasonably believes has caused or will cause identity theft or fraud of a West Virginia resident, then the entity that owns or licenses computerized data containing personal information must give notice. |
| DATA COVERED |
The law covers "Personal Information" which is defined as the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of West Virginia when the data elements are neither encrypted nor redacted:
|
| INDUSTRY | Any authority, board, bureau, commission, district or agency of VA or any political subdivision; boards of visitors of public institutions of higher education; and other organizations, corporations, or agencies in VA supported wholly or principally by public funds. |
| PENALTIES | The law gives various governmental departments the right to pursue an action for violations of the law. The Office of the Attorney General is authorized to impose a civil penalty not to exceed one hundred fifty thousand dollars ($150,000) per breaches that are discovered in a single investigation. An individual is also authorized to pursue damages resulting from a violation. Breaches involving financial organizations are brought by the state regulator. Entities regulated by the State Corporation Commission’s Bureau of Insurance may be brought only by the State Corporation Commission. |
