Insights

Home > News & Insights > Insights > Virginia Amends Law Requiring Notice For Security Breaches Compromising Employee Tax Information

Share this on:   a b j c

Virginia Amends Law Requiring Notice For Security Breaches Compromising Employee Tax Information

Published by and on May 15, 2017

The new provision of § 18.2-186.6 requires employers to notify the Attorney General of Virginia of a breach that allows access to employee tax information.

The new provision of § 18.2-186.6 requires employers to notify the Attorney General of Virginia of a breach that allows access to employee tax information.

Identity theft is no new concern, and the amount of information that can become exploitable is ever increasing. A new major concern has been the increasing number of false tax filings by cyber-criminals to receive the victim’s tax return. Businesses maintain troves of sensitive information, particularly the personal information of employees, and are prime targets for hacking. Failure to take information security seriously in light of this threat is no longer reasonable.

In an effort to curb this crime and provide Virginia taxpayers with additional protection, the General Assembly has recently passed a new law requiring Virginia employers to report a data breach that compromises the tax information of employees.

Prior to the new law, § 18.2-186.6 of the Code of Virginia required notice be provided to the Attorney General of Virginia if the owner of a system maintaining personal information discovered unauthorized access to that information. The law states:

If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity . . . shall disclose any breach of the security of the system following discovery . . . to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay.

Va. Code. Ann. § 18.2-186.6(B). “Personal information” is defined under the law as the first name or first name initial and last name of an individual, combined with either that individual’s Social Security number, license or state identification number, or financial account or credit card number and access code. Id. at § 18.2-186.6(A)(4)(c)(5).

On February 21, 2017, the General Assembly approved an amendment to § 18.2-186.6, adding a new subsection (M) to the law, which requires employers and payroll service providers to provide notice to the Attorney General upon discovery of a security breach involving the unauthorized access of employee tax information. The amendment was approved by Gov. Terry McAuliffe and became law on March 13, 2017. The new provision states in part:

[A]ny employer or payroll service provider that owns or licenses computerized data relating to income tax withheld . . . shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud.

The law includes several specific exceptions allowing for a delayed notification. For any breach requiring notice to the Attorney General under this law, the notice may be reasonably delayed to allow the business to determine the scope of the breach and to restore the reasonable integrity of the information system. Id. at § 18.2-186(B). Notice may also be reasonably delayed if, after the business notifies a law enforcement agency, law enforcement advises the business that the notice will impede a criminal or civil investigation, or homeland or national security. Id. Failure to provide appropriate notice may result in a civil fine of $150,000, as well as an individual action by the victim for damages.

Welter Insight

Employers with employees working in Virginia must be aware of the notice requirements of § 18.2-186.6. When a business discovers the unauthorized access of unencrypted and unredacted tax information of its employees and reasonably believes the unauthorized access has or will cause identity theft of fraud, the business must provide notice to Attorney General of Virginia of the breach, unless an exception allows for delay. Further, if a breach occurs allowing unauthorized access to an employee’s personal information (as defined) that the employer reasonably believes has or will cause identity theft or fraud, notice must be provided to the Attorney General as well as any affected employees.

Topics: , , , , ,

Share:   a b j c