HOUSE BILL NO. 3148 Offered January 19, 2007 A BILL to amend and reenact § 2.2-2458 of the Code of Virginia and to amend the Code of Virginia by adding in Title 2.2 a chapter numbered 38.1, consisting of sections numbered 2.2-3820 through 2.2-3822, relating to the Compromised Data Disclosure Act. ---------- Patrons-- Bulova and Sickles ---------- Committee Referral Pending ----------

Be it enacted by the General Assembly of Virginia:

1.  That § 2.2-2458 of the Code of Virginia is amended and reenacted and that the Code of Virginia is amended by adding in Title 2.2 a chapter numbered 38.1, consisting of sections numbered 2.2-3820 through 2.2-3822, as follows:

§ 2.2-2458. Powers and duties of the Board.

The Board shall have the power and duty to:

1. Appoint the Chief Information Officer as the chief administrative officer of the Board to oversee the operation of VITA pursuant to § 2.2-2005;

2. Adopt rules and procedures for the conduct of its business;

3. Approve or disapprove the development of all major information technology projects as defined in § 2.2-2006. The Board may terminate any major information technology project recommended for termination by the Chief Information Officer pursuant to § 2.2-2015;

4. Approve strategies, standards, and priorities recommended by the Chief Information Officer for the use of information technology for state agencies in the executive branch of state government;

5. Approve the four-year plan for information technology projects;

6. Approve statewide technical and data standards for information technology and related systems;

7. Approve statewide information technology architecture and related set of system standards;

8. Approve criteria for the review and approval of the planning, scheduling and tracking of major information technology projects as defined in § 2.2-2006;

9. Adopt resolutions or regulations conferring upon the Chief Information Officer all such powers, authorities and duties as the Board deems necessary or proper to carry out the purposes of Chapter 20.1 of Title 2.2; and

10. Submit by September 1 of each year a list of recommended technology investment projects and priorities for funding such projects to the Governor and the General Assembly; and

11. Establish policies, procedures, and standards for carrying out the provisions of the Compromised Data Disclosure Act (§ 2.2-3820 et seq.) of this title.

CHAPTER 38.1. COMPROMISED DATA DISCLOSURE ACT.

§ 2.2-3820. Findings; definitions.

A. The General Assembly finds that the Commonwealth, as steward of sensitive personal information, has an obligation to notify in a timely manner any individual whose personal information has been compromised and where harm to that individual could reasonably be expected as a consequence. 

B. As used in this chapter:

"Agency" means an administrative unit of state government, including any department, institution, commission, board, council, authority, or other body, however designated. 

"Board" means any collegial body in the executive branch of state government created by the General Assembly. 

"Personal information" means the first name or first initial and last name of an individual in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (i) social security number; (ii) driver's license number; or (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to the financial account of an individual.

§ 2.2-3821. Obligation of state agencies.

Any agency that owns or licenses computerized data that include personal information shall disclose any breach of the security system following discovery or notification of the breach in security to any resident of Virginia whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

§ 2.2-3822. Virginia Information Technology Investment Board to establish procedures.

The Virginia Information Technology Investment Board shall establish policies, procedures, and standards for carrying out the provisions of § 2.2-3821. In establishing these policies, procedures, and standards, the Board shall define what constitutes a reportable breach of the security system, what constitutes proper and timely notice, and reasonable exceptions. The Board shall ensure that policies, procedures, and standards are consistent with procedures for reporting incidences to the Chief Information Officer under § 2.2-603.