Virginia Code 38.2-626: Notice to consumers
A. A licensee that maintains consumers’ nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers’ nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers’ nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:
Terms Used In Virginia Code 38.2-626
- Consumer: means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person. See Virginia Code 38.2-621
- Cybersecurity event: means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. See Virginia Code 38.2-621
- Fair Debt Collection Practices Act: The Fair Debt Collection Practices Act is a set of United States statutes added as Title VIII of the Consumer Credit Protection Act. Its purpose is to ensure ethical practices in the collection of consumer debts and to provide consumers with an avenue for disputing and obtaining validation of debt information in order to ensure the information's accuracy. It is often used in conjunction with the Fair Credit Reporting Act. Source: OCC
- Fraud: Intentional deception resulting in injury to another.
- Licensee: means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. See Virginia Code 38.2-621
- Nonpublic information: means information that is not publicly available information and is:
1. See Virginia Code 38.2-621
- Person: means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association. See Virginia Code 38.2-621
- Third-party service provider: means (i) a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is permitted access to nonpublic information through its provision of services to the licensee or (ii) an insurance-support organization. See Virginia Code 38.2-621
1. The incident in general terms;
2. The type of nonpublic information that was subject to the unauthorized access and acquisition;
3. The general acts of the licensee to protect the consumer’s nonpublic information from further unauthorized access;
4. A telephone number that the consumer may call for further information and assistance, if one exists; and
5. Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer’s credit reports.
B. Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.
C. In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a (p), of the timing, distribution, and content of the notice.
D. Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. § 1692a.
E. Notice required by this section and § 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.
F. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee’s deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
2020, c. 264.