14VAC5-430-70. Consumer notification provisions.

A. Licensees, except those exempted under subsection A 1 or A 2 of § 38.2-629 of the Code of Virginia, that determine a cybersecurity event has occurred and has caused or has a reasonable likelihood of causing identity theft or other fraud to consumers whose information was accessed or acquired shall notify those consumers in accordance with § 38.2-626 of the Code of Virginia, subject to any applicable numerical threshold.

B. Each licensee required to notify consumers of a cybersecurity event that does not intend to notify consumers based on a belief that the cybersecurity event does not have a reasonable likelihood of causing identity theft or other fraud to the consumers shall notify the commissioner, without unreasonable delay, of its position and provide an explanation supporting the licensee's position.

Statutory Authority

§§ 12.1-13 and 38.2-223 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 37, Issue 21, eff. June 1, 2021.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.