Virginia Code § 18.2-186.6 requires entities to notify residents of data breaches involving personal information. It defines what constitutes a breach, including unauthorized access, and specifies that certain employee acquisitions are not breaches. The law emphasizes timely notification to protect individuals from identity theft and fraud.
A breach occurs when there is unauthorized access and acquisition of unencrypted personal data that compromises security or confidentiality, potentially leading to identity theft or fraud.
No, good faith acquisition by an employee or agent for lawful purposes is not considered a breach, provided the information is not used unlawfully or disclosed further.
Written notice must be provided to the last known postal address of the affected individual, informing them of the breach.
The law applies to various entities, including corporations, government agencies, partnerships, and other legal entities that maintain personal information.