Virginia Amends its Data Breach Notification Statute to Include State Income Tax Information

Virginia recently amended its data breach notification statute to require notification to the Virginia Office of the Attorney General (“AG”) in the event of a data breach involving state income tax information.

Under Virginia’s existing statutory requirements, a person or entity that owns or licenses computerized data is required to notify all affected persons, and the AG, following a data breach involving “personal information” that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of Virginia.  “Personal information” is currently defined as “the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted: (1) Social security number; (2) Driver’s license number or state identification card number issued in lieu of a driver’s license number; or (3) Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.  [Personal information] does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.”  However, an entity that is subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”) and maintains procedures for notification of a breach of the security of the system in accordance with GLBA is deemed to be in compliance with Virginia’s current data breach notification requirements.

The amendment, which takes effect on July 1, 2017, creates a separate notification requirement, applicable specifically to employers and payroll service providers that own or license computerized data relating to state income tax withholdings.  Specifically, these entities or persons are required to notify the AG “without unreasonable delay” following a data breach containing a “taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data . . . and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud.”  Because this notification requirement is separate from the existing notification requirement, it appears that employers will not be required to notify the affected individuals whose information has been compromised.  Furthermore, the aforementioned presumption of compliance for complying with GLBA requirements does not apply to this new, separate notification requirement; employers and payroll service providers must notify the AG even if they are subject to GLBA and comply with its requirements.

House Bill 2113, Breach of payroll data; notification requirement, is available at: https://lis.virginia.gov/cgi-bin/legp604.exe?171+ful+CHAP0419.