SB1224: Identity theft; notification of breach of information system.

SENATE BILL NO. 1224
Offered January 10, 2007
Prefiled January 10, 2007
A BILL to amend the Code of Virginia by adding a section numbered 18.2-186.6, relating to identity theft prevention; notice of breach of information system.
Patron-- Howell

Referred to Committee for Courts of Justice

Be it enacted by the General Assembly of Virginia:

1.  That the Code of Virginia is amended by adding a section numbered 18.2-186.6 as follows:

§ 18.2-186.6. Notice of breach of information system.

A. As used in this section: 

"Breach of the security of the system" means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.

"Commercial entity" includes (i) corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or any other legal entity, whether for profit or not-for-profit and (ii) governments, governmental subdivisions, and agencies.

"Notice" means:

1. Written notice;

2. Telephonic notice;

3. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001; or

4. Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $250,000, or that the affected class of Virginia residents to be notified exceeds 750,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: (i) e-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Virginia residents, (ii) conspicuous posting of the notice on the website of the individual or the commercial entity if the individual or the commercial entity maintains one, and (iii) notification to major statewide media.

"Personal information" means a Virginia resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

1. Social Security number;

2. Driver's license number; or

3. Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.

The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

B. An individual or a commercial entity that conducts business in Virginia and that owns or licenses computerized data that includes personal information about a resident of Virginia shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.  If the investigation determines that the misuse of information about a Virginia resident has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice as soon as possible to the affected Virginia resident. Notice shall be made in the most expedient time possible, and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection D of this section and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

C. An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Virginia resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.

D. Notice required by this section may be delayed if a law-enforcement agency determines that the notice will impede a criminal investigation. Notice required by this section shall be made in good faith, without unreasonable delay, and as soon as possible after the law-enforcement agency determines that notification will no longer impede the investigation.

E. Under this section, an individual or commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section is deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected Virginia residents in accordance with its policies in the event of a breach of security of the system. 

F. Under this section, an individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual or the commercial entity notifies affected Virginia residents in accordance with the maintained procedures when a breach occurs.

G. Pursuant to the enforcement duties and powers of the Office of the Attorney General, the Attorney General may bring an action in law or equity to address violations of this chapter and for other relief that may be appropriate to ensure proper compliance with this section or to recover direct economic damages resulting from a violation, or both. The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

2. That clause (ii) of the definition of "Commercial entity" in subsection A of this act shall become effective on July 1, 2008.