Tag Archives: Virginia

What Will the New State Privacy Laws Mean

As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?

Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:

The only one of these that is not LAW YET is Washington.

Here are a couple of interesting hand grenades.

For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.

What does sensitive personal information mean? It depends.

For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.

Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.

You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.

Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.

Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.

Needless to say, it is probably better to follow the rules.

Credit: Ballard Spahr

Recent Updates To State Data Breach Laws

One of the challenges to companies doing business online is that your customers may be scattered all over the country.  While this is obviously good for business, it also means that you need to comply with state data breach laws for all states where you have customers because the law’s applicability is based on where your customers are and not where you are.  Unfortunately, this gets pretty complex pretty quickly and you should check with your legal counsel or outside privacy/security aware law firm to make sure that you are complying with the laws that you need to be complying with.  As you will see with the changes to the Tennessee law belong, there are definitely nuances to these laws.

New Mexico

New Mexico has, until last month, been one of the “Three Musketeers” – the only three holdout states that don’t have a data breach notification law. The other two are – can you guess? – South Dakota and Alabama.  Well, now there are only two musketeers left.  Last month New Mexico passed and the governor signed a data breach notification bill.  It goes into effect in June.

One thing that they have done is include biometric data in their definition of personally identifiable information.  That includes fingerprints, voice prints, iris or retina patterns, facial characteristics and hand geometry.

New Mexico also specifies that you have 45 days to notify people.  Most states say something like that you have to notify people without delay, but don’t give you a deadline.  New Mexico has a deadline. It also requires that you notify the AG and credit bureaus if it affects more than 1,000 people.


Virginia expanded its notification requirement to include income tax information.  Most likely this is due to all the W-2 fraud.  And, while we are at it, while we haven’t seen a lot of this, I-9 fraud seems like a likely offshoot of W2 fraud since, for most companies, they save copies of documents like a passport, drivers license and/or birth certificate with the I-9, definitely a juicy target. So now you have to notify the AG if there is a breach of unencrypted taxpayer ID info along with income tax withheld (i.e. a W-2), provided there is a reasonable expectation of identity theft or fraud.  The notification must be made without undue delay and the AG will tell the tax departments.


Tennessee HAD the distinction of being the only state where you had to report breaches of encrypted data.  Or least that was the interpretation some people had.  Now that confusion has been cleared up.  Like most other states, you DO NOT have a get out of jail free card if the encryption key was compromised along with the encrypted data.  While you may laugh at that, if someone compromises your server or workstation, it is LIKELY that the encryption key that is used to protect the data may be embedded in a config file or the software itself and also compromised.

In what may be, again, the only state that specifies this, the data must be encrypted in accordance with NIST’s FIPS 140-2 standard.  That is, unless your business is required to meet Gramm-Leach-Bliley or HIPAA, in which case this doesn’t apply, at least according to one source, but not the source below. Why they would do that is completely unclear.  It may be that they think that it is too hard for people to comply with too many laws or that they don’t think they have jurisdiction, but since those laws (GLBA and HIPAA) don’t specify the “quality” of the encryption algorithm, if you encrypt your health or financial information with a weak encryption algorithm you may be compliant with GLBA and HIPAA (I don’t recommend using your Captain Marvel secret decoder ring to encrypt this data, but that is a personal decision), but if you run a retail store and you collect personal information, you better use strong FIPS-140 compliant encryption.  What in accordance with FIPS-140 means is not clear, but I saw another reference that said that it had to be FIPS-140 certified software, which if true, is a very important distinction.

Why we tell people to consult legal counsel is these terms like “without undue delay”. ” reasonable expectation of identity theft or fraud” and “FIPS-140 compliant” are pretty vague and your company’s executive team with legal advice will need to decide what compliance really means.

I would definitely recommend checking out the Tennessee law requirements if you have customers in that state, because, if my understanding is correct, that could definitely add some wrinkles for your developers.

Information for this post came from Mondaq.