Code of Virginia
Chapter 6 - Insurance Information and Privacy Protection
§ 38.2-626. Notice to consumers

A. A licensee that maintains consumers' nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:
1. The incident in general terms;
2. The type of nonpublic information that was subject to the unauthorized access and acquisition;
3. The general acts of the licensee to protect the consumer's nonpublic information from further unauthorized access;
4. A telephone number that the consumer may call for further information and assistance, if one exists; and
5. Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer's credit reports.
B. Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.
C. In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a (p), of the timing, distribution, and content of the notice.
D. Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. § 1692a.
E. Notice required by this section and § 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.
F. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
2020, c. 264.

Structure Code of Virginia

Code of Virginia

Title 38.2 - Insurance

Chapter 6 - Insurance Information and Privacy Protection

§ 38.2-600. Purposes

§ 38.2-601. Application of article

§ 38.2-602. Definitions

§ 38.2-603. Pretext interviews

§ 38.2-604. Notice of information collection and disclosure practices

§ 38.2-604.1. Notice of financial information collection and disclosure practices

§ 38.2-605. Marketing and research surveys

§ 38.2-606. Content of disclosure authorization forms

§ 38.2-607. Investigative consumer reports

§ 38.2-608. Access to recorded personal information

§ 38.2-609. Correction, amendment, or deletion of recorded personal information

§ 38.2-610. Notice of adverse underwriting decision; furnishing reasons for decisions and sources of information

§ 38.2-611. Information concerning previous adverse underwriting decisions

§ 38.2-612. Bases for adverse underwriting decisions

§ 38.2-612.1. Special requirements for providing financial information to nonaffiliated third parties

§ 38.2-612.2. Protection of the Fair Credit Reporting Act

§ 38.2-613. Disclosure limitations and conditions

§ 38.2-613.01. Commission to promulgate regulations on disclosure of certain medical test results to insurance applicants

§ 38.2-613.1. Disclosure of agent's moratorium required

§ 38.2-613.2. Repealed

§ 38.2-614. Powers of Commission

§ 38.2-615. Hearings and procedures

§ 38.2-616. Service of process on insurance-support organizations

§ 38.2-617. Individual remedies

§ 38.2-618. Immunity of persons disclosing information

§ 38.2-619. Obtaining information under false pretenses

§ 38.2-620. Repealed

§ 38.2-621. Definitions

§ 38.2-622. Private cause of action; neither created nor curtailed

§ 38.2-623. Information security program

§ 38.2-624. Investigation of a cybersecurity event

§ 38.2-625. Notice to Commissioner

§ 38.2-626. Notice to consumers

§ 38.2-627. Powers and duties of the Commission; exclusive state standards

§ 38.2-628. Confidentiality

§ 38.2-629. Exceptions