HB1154: Identity theft; notification of breach of information system.

HOUSE BILL NO. 1154
Offered January 11, 2006
Prefiled January 11, 2006
A BILL to amend the Code of Virginia by adding a section numbered 18.2-186.6, relating to identity theft prevention; notice of breach of information system.
Patron-- Lingamfelter

Referred to Committee on Science and Technology

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding a section numbered 18.2-186.6 as follows:

§ 18.2-186.6. Notice of breach of information system.

A. As used in this section: 

"Breach of the security of the system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.

"Notice" means:

1. Written notice;

2. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in §7001 of Title 15 of the United States Code; or

3. Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $250,000, or that the affected class of Virginia residents to be notified exceeds 500,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: (i) e-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Virginia residents; (ii) conspicuous posting of the notice on the website of the individual or the commercial entity if the individual or the commercial entity maintains one; and (iii) notification to major statewide media.

"Personal information" means a Virginia resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

1. Social Security number;

2. Driver's license number;

3. Account number, or credit or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a resident's financial account; or

4. Individually identifiable information, in electronic or physical form, regarding the Virginia resident's medical history or medical treatment or diagnosis by a health care professional.

The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

B. An individual or a commercial entity that conducts business in Virginia and that owns or licenses computerized data that includes personal information shall give notice to a resident of Virginia of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the Virginia resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification must be made in good faith, in the most expedient time possible, and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection D of this section and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

C. An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data immediately following discovery of a breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

D. Notice required by this section may be delayed if a law-enforcement agency determines that the notice will impede a criminal investigation. Notice required by this section must be made in good faith, without unreasonable delay, and as soon as possible after the law-enforcement agency determines that notification will no longer impede the investigation.

E. An individual or a commercial entity that is required to give notice of a breach in the security of personal information pursuant to this section shall also promptly provide written notification of the nature and circumstances of the breach to the Office of the Attorney General.

F. Notwithstanding the definition of notice in this section, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected Virginia residents in accordance with its policies in the event of a breach of security of the system.  If an individual or a commercial entity that is regulated by state or federal law provides greater protection to personal information than that provided by this section in regard to the subjects addressed by this section, compliance with that state or federal law is deemed compliance with this section with regard to those subjects.  This section does not relieve an individual or a commercial entity from a duty to comply with other requirements of state and federal law regarding the protection and privacy of personal information.

G. Any Virginia resident damaged by a violation of this section may bring an action for recovery of damages. If damages are awarded to the Virginia resident, the damages shall be triple the amount of the actual damages proved plus reasonable attorney fees. Nothing in this section may be construed so as to nullify or impair any right which a Virginia resident may have at common law, by statute, or otherwise.

H. In addition to the remedy provided in subsection G of this section, the Office of the Attorney General may bring an action in law or equity to address violations of this section and for other relief that may be appropriate.  The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.