Identity theft; notice of database breach. (SB307)

Introduced By

Sen. Roscoe Reynolds (D-Martinsville)

Progress

Introduced
Passed Committee
Passed House
Passed Senate
Signed by Governor
Became Law

Description

Database breach notification. Requires that an individual or a commercial entity that conducts business in Virginia and that owns or licenses data that includes personal information about a resident of Virginia shall, when it becomes aware of a breach of the security of the system, (i) conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and (ii) notify the Office of the Attorney General that a breach has occurred. A breach of the security of the system is defined as the unauthorized acquisition and access of unencrypted or unredacted data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Types of notification meeting the requirements of this bill are listed, but not required if, after a reasonable investigation, the person or commercial entity determines that there is no reasonable likelihood of harm to affected Virginia residents. The Attorney General may bring an action in law to address violations and ensure proper compliance with this section. Nothing in this section shall limit an individual from recovering direct economic damages resulting from a violation of this section. Read the Bill »

Outcome

Bill Has Passed

History

DateAction
01/08/2008Prefiled and ordered printed; offered 01/09/08 085678810
01/08/2008Referred to Committee for Courts of Justice
01/10/2008Assigned Courts sub: Criminal
01/24/2008Impact statement from DPB (SB307)
02/06/2008Reported from Courts of Justice with substitute (15-Y 0-N) (see vote tally)
02/07/2008Committee substitute printed 081553316-S1
02/08/2008Constitutional reading dispensed (40-Y 0-N) (see vote tally)
02/11/2008Read second time
02/11/2008Reading of substitute waived
02/11/2008Committee substitute agreed to 081553316-S1
02/11/2008Engrossed by Senate - committee substitute SB307S1
02/11/2008Constitutional reading dispensed (40-Y 0-N) (see vote tally)
02/11/2008Passed Senate (40-Y 0-N) (see vote tally)
02/11/2008Communicated to House
02/12/2008Placed on Calendar
02/12/2008Read first time
02/12/2008Referred to Committee on Science and Technology
02/12/2008Impact statement from DPB (SB307S1)
02/25/2008Reported from Science and Technology with substitute (18-Y 0-N)
02/26/2008Committee substitute printed 085712316-H1
02/27/2008Read second time
02/28/2008Passed by for the day
02/29/2008Impact statement from DPB (SB307H1)
02/29/2008Read third time
02/29/2008Committee substitute agreed to 085712316-H1
02/29/2008Engrossed by House - committee substitute SB307H1
02/29/2008Passed House with substitute BLOCK VOTE (98-Y 0-N)
02/29/2008VOTE: BLOCK VOTE PASSAGE (98-Y 0-N)
03/04/2008House substitute agreed to by Senate (40-Y 0-N)
03/05/2008Bill text as passed Senate and House (SB307ER)
03/05/2008Enrolled
03/05/2008Signed by Speaker
03/06/2008Impact statement from DPB (SB307ER)
03/06/2008Signed by President
03/11/2008G Approved by Governor-Chapter 566 (effective 7/1/08)
03/17/2008G Acts of Assembly Chapter text (CHAP0566)

Duplicate Bills

The following bills are identical to this one: HB1052.

Comments

Virginia ITSP Association, tracking this bill in Photosynthesis, notes:

Requires that an individual or a commercial entity that conducts business in Virginia and that owns or licenses data that includes personal information about a resident of Virginia shall, when it becomes aware of a breach of the security of the system, (i) conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and (ii) notify the Office of the Attorney General that a breach has occurred.