Virginia Adds State Income Tax Provision to Data Breach Notification Law
Time 2 Minute Read
Categories: Consumer Protection, Privacy & Cybersecurity

As posted on the Hunton Privacy and Information Security Law blog, recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer.

The amendment contains a harm threshold, requiring notification when such unauthorized access and acquisition compromises the confidentiality of the data and causes, or reasonably will cause, identity theft or fraud. For employers, the amendment applies only to the employer’s Virginia employees, and not to information regarding the employer’s customers or non-employees. Notification to the Virginia Office of the Attorney General must be made “without unreasonable delay” and must include the name and federal employer identification number of the employer that may be affected by the incident. The amendment requires notification only to the Virginia Office of the Attorney General, and not affected individuals. The amendment takes effect on July 1, 2017.

Tags: Compliance, Data Breach, Enforcement, Personal Information, Tax, Virginia
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
Employer Alert! Virginia Moves to Further Restrict Non-Compete Agreements
Employer Alert! Virginia Moves to Further Restrict Non-Compete Agreements
By and

On March 4, 2026, Virginia Senate Bill 170 (SB170) passed the House of Delegates after unanimous approval by the Senate.  SB170 now awaits signature by Governor Abigail Spanberger, who has until April 13, 2026 to act.  If signed, the law will go into effect on July 1, 2026, and forms part of Virginia’s broader effort to limit the application and enforceability of non-compete agreements.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
CalPrivacy Issues $1.1 Million Fine for CCPA Violations Involving Student Privacy 
By

The California Consumer Privacy Act continues to drive significant enforcement activity—particularly when minors’ data is involved. In a recent action, the California Privacy Protection Agency imposed a $1.1 million fine on youth sports platform PlayOn Sports for alleged violations involving student data and inadequate opt-out mechanisms. The case highlights growing regulatory scrutiny around how companies collect, share, and provide transparency about personal information—especially when schools and students are involved. 

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Authors

Archives

Jump to Page