Virginia Personal Information Data Privacy Notification And Encryption Laws: Va. Code § 18.2-186.6.

The state of Virginia’s data breach notification law went into effect on July 1, 2008.  It is similarly worded to other state legislation in that the use of data encryption software provides safe harbor from costly and embarrassing breach notifications.  (Are you looking for Virginia’s medical information breach notification law?  Click here.) 

It differs in one crucial aspect.  Unlike similar state laws, a provision for imposing financial penalties has been included.  (Note: I’m not a lawyer, and you should consult with your legal representatives if you experienced a data breach).

Data Encryption Provides Safe Harbor From Breach Notification

Virginia Code § 18.2-186.6 was designed, like many such state legislation, to encourage entities to improve their customers’ data security measures.  As such, it provides safe harbor when encryption software is used to protect customer data:

If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes…[it] shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [my emphasis]

This is one of the few laws I’ve seen where the use of encryption provides a direct relief from going public with a data breach.  In most legislation I’ve seen, safe harbor seems to be provided by defining personal information as “unencrypted data.”

I think the reasoning might be, since encrypted personal information is not unecrypted data, by definition it’s not personal information anymore–so, losing this encrypted information cannot be constituted as a data breach.  A confusing and roundabout way, certainly, but it gets the job done.

It’s also one of the few laws that also specifies that encryption is not enough:

…disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft…

Most state laws have not gone as far as taking into the possibility of the encryption keys (or passwords) being compromised as well.  While it would be up to the courts to decide upon it, there are criticisms directed at the data breach laws because safe harbor is afforded regardless of whether the encryption in question really provides personal information security, unlike the above.

What Is Considered A Personal Information Security Breach In Virginia?

According to the law a “breach” is:

“Breach of the security of the system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.

Note how the breach is relegated to computerized data only.  There are states that are updating their data breach notification laws to include the breach of data stemming from paper documents as well, and barring the passage of a federal law governing data breach notifications, we may very well see an update to account for its absence.

“Personal information” follows the conventional definition found in most state laws.  It’s the first name (or initial) and last name combined with:

• Social security number
• Driver’s license information
• Financial information, such as account numbers, credit card numbers, etc.

What Needs to Be Included In The Customer Notification Letter?

The law is pretty straightforward.  To quote it directly:

Notice required by this section shall include a description of the following:

(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and acquisition;
(3) The general acts of the individual or entity to protect the personal information from further unauthorized access;
(4) A telephone number that the person may call for further information and assistance, if one exists; and
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Also, if the breach involves more than 1,000 people, the Office of Attorney General must be alerted of the breach without unreasonable delay, as well as consumer reporting agencies.

Notices can be via letter, telephone, “electronic” (meaning what?  There is no definition), or a substitute notice.  The last is only possible if the cost of notification exceeds $50,000; if more than 100,000 VA residents need to be notified; or if the company that experienced the breach doesn’t have contact details for customers.


Virginia has given its AG the express ability to impose fines as a penalty (a maximum of $150,000 per incident):

The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.

The above law, and many others like it, may not require the use of encryption software like AlertBoot; however, they do seem to be pushing hard towards their adoption where sensitive information is concerned.

Why?  Because encryption is probably one of the most cost-effective and effective ways of protecting sensitive information.

However, as an entity that collects sensitive information, you must remember that encryption is not a cure-all for your data security needs.  Just like the body experiences many ailments–and you have different medication for them–you’ll find that your company needs different security prescriptions depending on your company’s IT infrastructure.

Related Articles and Sites:

Comments (0)

Let us know what you think