For breaches involving notification of more than 1,000 persons at one time, breach reporting is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, and additional information must be provided to the Attorney General. If any state residents are affected by a breach of security, the breached Organization must give notice without delay to the affected individuals and the Attorney General. Regulatory reporting and consumer notifications must include specific information regarding a breach incident.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

The state Attorney General has the enforcement and authority to bring an action to address violations and impose civil penalties up to $150,000 per breach or series of breaches. Individuals also have the right to recover direct economic damages due to violations.

Virginia passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2020, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Additional laws exist regarding medical breaches, with notification made to the Office of the Attorney General, the Commissioner of Health, and any affected resident of the Commonwealth without unreasonable delay.

Vendors must report to the Organization without delay after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.