Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws
Penalties up to $150,000
Third Party Management
None to minimal
The law defines specific requirements for consumer notification.
For breaches involving notification of more than 1,000 persons at one time, breach reporting is required, without unreasonable delay, to the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
The state Attorney General has enforcement and authority to bring an action to address violations and impose civil penalties. Individuals also have the right to recover direct economic damages due to violations.
For violations of the Personal Information Privacy Act, damages may be awarded in the amount of $100 per violation and may include an award of reasonable attorney’s fees and court costs.
Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Va. Code §§ 18.2-186.6 Breach of personal information notification (2008)