Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect personal information
  • Written Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws
Penalties up to $150,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The law defines specific requirements for consumer notification.
  • For breaches involving notification of more than 1,000 persons at one time, breach reporting is required, without unreasonable delay, to the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • The state Attorney General has enforcement and authority to bring an action to address violations and impose civil penalties.  Individuals also have the right to recover direct economic damages due to violations.
  • For violations of the Personal Information Privacy Act, damages may be awarded in the amount of $100 per violation and may include an award of reasonable attorney’s fees and court costs.
  • Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Va. Code §§ 18.2-186.6 Breach of personal information notification (2008)
  • Va. Code §§ 18.2-186.3  Identity theft; penalty; restitution; victim assistance (2000)
  • Va. Code §§ 59.1-442 – 59.1-444  Personal Information Privacy Act (1992)
  • Va. Code § 32.1-127.1:05  Breach of medical information notification (2010)
BAck to map