Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of Breach Notification Laws:

- Up to $150,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If any state residents are affected by a breach of security, the breached Organization must give notice without delay to the affected individuals and the Attorney General.
  • For breaches involving notification of more than 1,000 persons at one time, breach reporting is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, and additional information must be provided to the Attorney General.
  • Regulatory reporting and consumer notifications must include specific information regarding a breach incident.
  • Vendors must report to the Organization without delay after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • The state Attorney General has enforcement and authority to bring an action to address violations and impose civil penalties up to $150,000 per breach or series of breaches.
  • Individuals also have the right to recover direct economic damages due to violations.
  • Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.
  • Separate stringent requirements exist for insurance-sector entities, including risk assessment, written information security program, vendor management and breach notification timeframe of 3 business days.
Statutes and Laws
  • Va. Code § 18.2-186.6 Breach of personal information notification
  • Va. Code §§ 59.1-442 – 59.1-444  Personal Information Privacy Act
  • Va. Code § 32.1-127.1:05  Breach of medical information notification
  • Va. Code § 38.2, CH. 6, ART. 2 Insurance Data Security Act
BAck to map