DBN Statutes – Virginia

Data Breach Notification Statutes – Virginia

Last Updated: 02/28/2024

  • Applicable Statute: Va. Code Ann. § 18.2-186.6
  • Attorney General Notice Required: Yes.
    • Timing: Not specified
    • Method: Mail to: Computer Crime Section Virginia Attorney General’s Office 202 North 9th Street Richmond, VA 23219
    • Content: As part of the notification, the Virginia Attorney General’s Office requests the following information from the individual or entity making the notification: 1. A cover letter on official letterhead to the Virginia Attorney General’s Office as notification of the breach; 2. Approximate date of the incident to include how the breach was discovered; 3. Cause of breach; 4. Number of Virginia residents affected by the breach; 5. The steps taken to remedy the breach; 6. If an organization’s employees’ tax identification numbers and amount of tax withheld are breached, the Federal Employer Identification Number (FEIN) of the organization; and 7. A sample of the notification made to the affected parties, to include any possible offers of free credit monitoring.
  • Consumer Notice Requirements:
    • Timing: Must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
    • Content: The notification must include description of the following: 
      • The breach incident in general terms;
      • The types of personal information that was subject to the unauthorized access and acquisition;
      • The acts taken to protect the personal information from further unauthorized access;
      • A telephone number that the person may call for further information and assistance, if one exists; and
      • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
    • Method: Written notice to last known postal address, by telephone, or electronic notice. Substitute notice is available under certain conditions.
  • Consumer Reporting Agency Obligations: If more than 1,000 persons are notified, must also notify all nationwide consumer reporting agencies of the timing, distribution and content of the notice. If one Virginia resident is included then the Attorney General must also be notified.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required