- Virginia recently updated its data breach legislation to require notification should payroll data become compromised.
The amended statute applies to employers or payroll service providers who experience unauthorized access and acquisition of personal information. This includes unencrypted and unredacted computerized data containing a taxpayer identification number in combination with income tax withholding information for that taxpayer.
“Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure,” the legislation stated.
The Virginia statute specifically defines “personal information” as the first name or first initial and last name in combination with and linked to any one or more of the following data elements:
- Social security number
- Driver's license number or state identification card number issued in lieu of a driver's license number
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.
Organizations will also need to notify the Virginia Office of the Attorney General “without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data.”
“With respect to employers, this subsection applies only to information regarding the employer's employees, and does not apply to information regarding the employer's customers or other non-employees,” the legislation explained.
Furthermore, law enforcement investigations may allow organizations to delay the notification process if it is believed that such notification would impede an investigation.
“Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security,” the statute read.
Virginia considers “redacted information” to be data that has been altered or truncated, often showing only certain parts of data.
For example, this can include five digits of an individual’s Social Security number or the last four digits of an individual’s driver’s license number.
Virginia is currently one of the 48 states that not only has data breach notification legislation, but it also accounts for medical information.
The first name or first initial and last name in combination with and linked to any one or more of the following data elements are considered a breach of personal information:
- Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
“Good faith acquisition of medical information by an employee or agent of an entity for the purposes of the entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the entity or subject to further unauthorized disclosure,” the law states.
Other states have recently updated their data breach notification process as well. For example, Tennessee amended its legislation so organizations are no longer required to provide notification if the information was encrypted.
Amended Senate Bill 547 maintains that encrypted data is “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS).”
“A breach of system security occurs when an unauthorized person acquires unencrypted computerized data or encrypted computerized data and the encryption key, and the acquisition materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder,” according to the bill summary.
However, SB 547 also said that it does not apply to any information holder that is subject to Title V of the Gramm-Leach-Bliley Act of 1999 or HIPAA as expanded by the HITECH Act.
“Under present law, publicly available information that is lawfully made available to the general public from federal, state, or local government records is not ‘personal information’, the acquisition of which by an unauthorized person triggers the notice requirement,” the summary read.