Virginia law imposes duties on employers and others who collect and store personal information. The chart below gives a general overview of these requirements; additional requirements and exceptions may apply.

Types of Protected Information Personal information means:

The first name (or first initial) and last name in combination with and linked to any unencrypted or unredacted data elements listed below that relate to a Virginia resident:

  • Social Security number;
  • Driver’s license number or state i.d. card number; or
  • Financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.

Personal information does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

Additional protection requirements apply to Social Security numbers. (See below.)

Protection Requirements Except as otherwise provided by law, an employer may not:

  • Intentionally communicate another individual’s Social Security number to the general public;
  • Print an individual’s Social Security number on any card required for the individual to access or receive products or services;
  • Require an individual to use his or her Social Security number to access a website, unless a password, unique personal identification number, or other authentication device is also required to access the site; or
  • Send or cause to be sent or delivered any letter, envelope, or package that displays a Social Security number on the face of the mailing envelope or package, or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.
Security Breach Notification Requirements Employers that own or license computerized data that includes personal information, and that discover or are notified of a security breach of the system, must provide notice of the breach to the Virginia Attorney General and any affected Virginia resident without unreasonable delay. This notice is required if the unauthorized access to personal information has caused, or is reasonably believed to have caused or will cause, identity theft or other fraud to any Virginia resident.

Generally, if an employer provides notice to more than 1,000 persons at one time, it must notify, without unreasonable delay, the Attorney General and all national consumer reporting agencies.

Key Exceptions:

  • An employer that complies with its own notification procedures as part of a privacy and security policy for the treatment of personal information, that is consistent with the timing requirements of the law; or
  • An employer that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional state or federal regulator.

Please Note: The state laws summaries featured on this site are for general informational purposes only. In addition to state law, certain municipalities may enact legislation that imposes different requirements. State and local laws change frequently and, as such, we cannot guarantee the accuracy or completeness of the information featured in the State Laws section. For more detailed information regarding state or local laws, please contact your state labor department or the appropriate local government agency.

Share our article