{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-621.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-621.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-621.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-621.html"}],"law_id":86014,"edition_id":1,"section_id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","history":"2020, c. 264.","full_text":"As used in this article:\n\t\t&#8220;Authorized person&#8221; means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.\n\t\t&#8220;Consumer&#8221; means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.\n\t\t&#8220;Cybersecurity event&#8221; means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. &#8220;Cybersecurity event&#8221; does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.\n\t\t&#8220;Encrypted&#8221; means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.\n\t\t&#8220;HIPAA&#8221; means the federal Health Insurance Portability and Accountability Act (42 U.S.C. \u00a7 1320d et seq.).\n\t\t&#8220;Home state&#8221; means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.\n\t\t&#8220;Information security program&#8221; means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.\n\t\t&#8220;Information system&#8221; means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.\n\t\t&#8220;Insurance-support organization&#8221; has the same meaning as provided in \u00a7 38.2-602.\n\t\t&#8220;Licensee&#8221; means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. &#8220;Licensee&#8221; does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.\n\t\t&#8220;Nonpublic information&#8221; means information that is not publicly available information and is:\n\n1\n\nBusiness-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;2\n\nAny information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer&#8217;s (i) social security number; (ii) driver&#8217;s license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer&#8217;s financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or3\n\nAny information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer&#8217;s family; (i) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.\n\t\t\t&#8220;Nonpublic information&#8221; does not include a consumer&#8217;s personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.\n\t\t\t&#8220;Person&#8221; means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association.\n\t\t\t&#8220;Publicly available information&#8221; means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.\n\t\t\t&#8220;Third-party service provider&#8221; means (i) a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is permitted access to nonpublic information through its provision of services to the licensee or (ii) an insurance-support organization.","order_by":null,"text":{"0":{"id":308041,"text":"As used in this article:\n\t\t&#8220;Authorized person&#8221; means a person known to and authorized by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.\n\t\t&#8220;Consumer&#8221; means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose nonpublic information is in the possession, custody, or control of a licensee or an authorized person.\n\t\t&#8220;Cybersecurity event&#8221; means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. &#8220;Cybersecurity event&#8221; does not include (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.\n\t\t&#8220;Encrypted&#8221; means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.\n\t\t&#8220;HIPAA&#8221; means the federal Health Insurance Portability and Accountability Act (42 U.S.C. \u00a7 1320d et seq.).\n\t\t&#8220;Home state&#8221; means the jurisdiction in which the producer maintains its principal place of residence or principal place of business and is licensed by that jurisdiction to act as a resident insurance producer.\n\t\t&#8220;Information security program&#8221; means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.\n\t\t&#8220;Information system&#8221; means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.\n\t\t&#8220;Insurance-support organization&#8221; has the same meaning as provided in \u00a7 38.2-602.\n\t\t&#8220;Licensee&#8221; means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. &#8220;Licensee&#8221; does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.\n\t\t&#8220;Nonpublic information&#8221; means information that is not publicly available information and is:","type":"section","prefixes":[""],"prefix":"","entire_prefix":"","prefix_anchor":"","level":1,"next_prefix":"1"},"1":{"id":308042,"text":"Business-related information of a licensee the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee;","type":"section","prefixes":["1"],"prefix":"1","entire_prefix":"1","prefix_anchor":"1","level":1,"prior_prefix":"","next_prefix":"2"},"2":{"id":308043,"text":"Any information concerning a consumer that because of name, number, personal mark, or other identifier can be used to identify such consumer, in any combination with a consumer&#8217;s (i) social security number; (ii) driver&#8217;s license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a consumer&#8217;s financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or","type":"section","prefixes":["2"],"prefix":"2","entire_prefix":"2","prefix_anchor":"2","level":1,"prior_prefix":"1","next_prefix":"3"},"3":{"id":308044,"text":"Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer&#8217;s family; (i) the provision of health care to any consumer; or (iii) payment for the provision of health care to any consumer.\n\t\t\t&#8220;Nonpublic information&#8221; does not include a consumer&#8217;s personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under HIPAA.\n\t\t\t&#8220;Person&#8221; means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association.\n\t\t\t&#8220;Publicly available information&#8221; means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.\n\t\t\t&#8220;Third-party service provider&#8221; means (i) a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is permitted access to nonpublic information through its provision of services to the licensee or (ii) an insurance-support organization.","type":"section","prefixes":["3"],"prefix":"3","entire_prefix":"3","prefix_anchor":"3","level":1,"prior_prefix":"2"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"next_section":{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-621\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":false,"refers_to":[{"id":73837,"section_number":"38.2-602","catch_line":"Definitions","order_by":null,"url":"\/38.2-602\/"}],"permalink":{"id":218127,"object_type":"law","relational_id":86014,"identifier":"38.2-621","token":"38.2\/6\/2\/38.2-621","url":"\/38.2-621\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","dublin_core":{"Title":"Definitions","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-621","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section><p>As used in this article:\n\t\t&#8220;<span class=\"dictionary\">Authorized person<\/span>&#8221; means a person known to and authorized by the <span class=\"dictionary\">licensee<\/span> and determined to be necessary and appropriate to have access to the <span class=\"dictionary\">nonpublic information<\/span> held by the <span class=\"dictionary\">licensee<\/span> and its <span class=\"dictionary\">information systems<\/span>.\n\t\t&#8220;<span class=\"dictionary\">Consumer<\/span>&#8221; means an individual, including applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of the Commonwealth and whose <span class=\"dictionary\">nonpublic information<\/span> is in the <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control of a <span class=\"dictionary\">licensee<\/span> or an <span class=\"dictionary\">authorized person<\/span>.\n\t\t&#8220;<span class=\"dictionary\">Cybersecurity event<\/span>&#8221; means an event resulting in unauthorized access to, disruption of, or misuse of an <span class=\"dictionary\">information system<\/span> or <span class=\"dictionary\">nonpublic information<\/span> in the <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control of a <span class=\"dictionary\">licensee<\/span> or an <span class=\"dictionary\">authorized person<\/span>. &#8220;<span class=\"dictionary\">Cybersecurity event<\/span>&#8221; does not include (i) the unauthorized acquisition of <span class=\"dictionary\">encrypted<\/span> <span class=\"dictionary\">nonpublic information<\/span> if the encryption, process, or key is not also acquired, released, or used without authorization or (ii) an event in which the <span class=\"dictionary\">licensee<\/span> has determined that the <span class=\"dictionary\">nonpublic information<\/span> accessed by an unauthorized person has not been used or released and has been returned or destroyed.\n\t\t&#8220;<span class=\"dictionary\">Encrypted<\/span>&#8221; means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.\n\t\t&#8220;<span class=\"dictionary\">HIPAA<\/span>&#8221; means the federal Health <span class=\"dictionary\">Insurance<\/span> Portability and Accountability Act (42 U.S.C. \u00a7&nbsp;1320d et seq.).\n\t\t&#8220;<span class=\"dictionary\">Home state<\/span>&#8221; means the <span class=\"dictionary\">jurisdiction<\/span> in which the producer maintains its principal place of residence or principal place of business and is licensed by that <span class=\"dictionary\">jurisdiction<\/span> to act as a resident <span class=\"dictionary\">insurance<\/span> producer.\n\t\t&#8220;<span class=\"dictionary\">Information security program<\/span>&#8221; means the administrative, technical, and physical safeguards that a <span class=\"dictionary\">licensee<\/span> uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle <span class=\"dictionary\">nonpublic information<\/span>.\n\t\t&#8220;<span class=\"dictionary\">Information system<\/span>&#8221; means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or <span class=\"dictionary\">disposition<\/span> of electronic information, as well as any specialized system such as industrial or process control systems, telephone switching and private branch exchange systems, and environmental control systems.\n\t\t&#8220;<span class=\"dictionary\"><span class=\"dictionary\">Insurance<\/span>-support organization<\/span>&#8221; has the same meaning as provided in \u00a7&nbsp;<a class=\"law\" title=\"Definitions\" href=\"\/38.2-602\/\">38.2-602<\/a>.\n\t\t&#8220;<span class=\"dictionary\">Licensee<\/span>&#8221; means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the <span class=\"dictionary\">insurance<\/span> <span class=\"dictionary\">laws<\/span> of the Commonwealth. &#8220;<span class=\"dictionary\">Licensee<\/span>&#8221; does not include a purchasing group or a risk retention group chartered and licensed in a state other than the Commonwealth or a person that is acting as an assuming <span class=\"dictionary\">insurer<\/span> that is domiciled in another state or <span class=\"dictionary\">jurisdiction<\/span>.\n\t\t&#8220;<span class=\"dictionary\">Nonpublic information<\/span>&#8221; means information that is not <span class=\"dictionary\">publicly available information<\/span> and is:<\/p><\/section>\n\t\t\t\t\t\t<section id=\"1\"><p><span class=\"prefix-number\">1.<\/span> Business-related information of a <span class=\"dictionary\">licensee<\/span> the tampering with which, or the unauthorized disclosure, access, or use of which, would cause a <span class=\"dictionary\">material<\/span> adverse impact to the business, operations, or security of the <span class=\"dictionary\">licensee<\/span>; <a id=\"paragraph-308042\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-621\/#1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"2\"><p><span class=\"prefix-number\">2.<\/span> Any information concerning a <span class=\"dictionary\">consumer<\/span> that because of name, number, personal mark, or other identifier can be used to identify such <span class=\"dictionary\">consumer<\/span>, in any combination with a <span class=\"dictionary\">consumer<\/span>&#8217;s (i) social security number; (ii) driver&#8217;s license number or nondriver identification card number; (iii) financial account, credit card, or debit card number; (iv) security code, access code, or password that would permit access to a <span class=\"dictionary\">consumer<\/span>&#8217;s financial account; (v) passport number; (vi) military identification number; or (vii) biometric records; or <a id=\"paragraph-308043\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-621\/#2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"3\"><p><span class=\"prefix-number\">3.<\/span> Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a <span class=\"dictionary\">consumer<\/span> that can be used to identify a particular <span class=\"dictionary\">consumer<\/span>, and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any <span class=\"dictionary\">consumer<\/span> or a member of the <span class=\"dictionary\">consumer<\/span>&#8217;s family; (i) the provision of health care to any <span class=\"dictionary\">consumer<\/span>; or (iii) payment for the provision of health care to any <span class=\"dictionary\">consumer<\/span>.\n\t\t\t&#8220;<span class=\"dictionary\">Nonpublic information<\/span>&#8221; does not include a <span class=\"dictionary\">consumer<\/span>&#8217;s personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under <span class=\"dictionary\">HIPAA<\/span>.\n\t\t\t&#8220;Person&#8221; means any individual or any nongovernmental entity, including any nongovernmental partnership, corporation, branch, agency, or association.\n\t\t\t&#8220;<span class=\"dictionary\">Publicly available information<\/span>&#8221; means any information that a <span class=\"dictionary\">licensee<\/span> has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local <span class=\"dictionary\">law<\/span>. A <span class=\"dictionary\">licensee<\/span> has a reasonable basis to believe that information is lawfully made available to the general public if the <span class=\"dictionary\">licensee<\/span> has taken steps to determine (i) that the information is of the type that is available to the general public and (ii) whether a <span class=\"dictionary\">consumer<\/span> can direct that the information not be made available to the general public and, if so, that such <span class=\"dictionary\">consumer<\/span> has not done so.\n\t\t\t&#8220;<span class=\"dictionary\">Third-<span class=\"dictionary\">party<\/span> service provider<\/span>&#8221; means (i) a person, not otherwise defined as a <span class=\"dictionary\">licensee<\/span>, that <span class=\"dictionary\">contracts<\/span> with a <span class=\"dictionary\">licensee<\/span> to maintain, process, or store <span class=\"dictionary\">nonpublic information<\/span>, or otherwise is permitted access to <span class=\"dictionary\">nonpublic information<\/span> through its provision of services to the <span class=\"dictionary\">licensee<\/span> or (ii) an <span class=\"dictionary\"><span class=\"dictionary\">insurance<\/span>-support organization<\/span>. <a id=\"paragraph-308044\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-621\/#3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nDEFINITIONS (\u00a7 38.2-621)\n\nAs used in this article:\n\t\t&#8220;Authorized person&#8221; means a person known to and authorized by the\nlicensee and determined to be necessary and appropriate to have access to the\nnonpublic information held by the licensee and its information systems.\n\t\t&#8220;Consumer&#8221; means an individual, including applicants,\npolicyholders, insureds, beneficiaries, claimants, and certificate holders, who\nis a resident of the Commonwealth and whose nonpublic information is in the\npossession, custody, or control of a licensee or an authorized person.\n\t\t&#8220;Cybersecurity event&#8221; means an event resulting in unauthorized\naccess to, disruption of, or misuse of an information system or nonpublic\ninformation in the possession, custody, or control of a licensee or an\nauthorized person. &#8220;Cybersecurity event&#8221; does not include (i) the\nunauthorized acquisition of encrypted nonpublic information if the encryption,\nprocess, or key is not also acquired, released, or used without authorization or\n(ii) an event in which the licensee has determined that the nonpublic\ninformation accessed by an unauthorized person has not been used or released and\nhas been returned or destroyed.\n\t\t&#8220;Encrypted&#8221; means the transformation of data into a form that\nresults in a low probability of assigning meaning without the use of a\nprotective process or key.\n\t\t&#8220;HIPAA&#8221; means the federal Health Insurance Portability and\nAccountability Act (42 U.S.C. \u00a7 1320d et seq.).\n\t\t&#8220;Home state&#8221; means the jurisdiction in which the producer\nmaintains its principal place of residence or principal place of business and is\nlicensed by that jurisdiction to act as a resident insurance producer.\n\t\t&#8220;Information security program&#8221; means the administrative,\ntechnical, and physical safeguards that a licensee uses to access, collect,\ndistribute, process, protect, store, use, transmit, dispose of, or otherwise\nhandle nonpublic information.\n\t\t&#8220;Information system&#8221; means a discrete set of electronic\ninformation resources organized for the collection, processing, maintenance,\nuse, sharing, dissemination, or disposition of electronic information, as well\nas any specialized system such as industrial or process control systems,\ntelephone switching and private branch exchange systems, and environmental\ncontrol systems.\n\t\t&#8220;Insurance-support organization&#8221; has the same meaning as provided\nin \u00a7 38.2-602.\n\t\t&#8220;Licensee&#8221; means any person licensed, authorized to operate, or\nregistered, or required to be licensed, authorized, or registered pursuant to\nthe insurance laws of the Commonwealth. &#8220;Licensee&#8221; does not include\na purchasing group or a risk retention group chartered and licensed in a state\nother than the Commonwealth or a person that is acting as an assuming insurer\nthat is domiciled in another state or jurisdiction.\n\t\t&#8220;Nonpublic information&#8221; means information that is not publicly\navailable information and is:\n\n1. Business-related information of a licensee the tampering with which, or the\nunauthorized disclosure, access, or use of which, would cause a material adverse\nimpact to the business, operations, or security of the licensee;\n\n2. Any information concerning a consumer that because of name, number, personal\nmark, or other identifier can be used to identify such consumer, in any\ncombination with a consumer&#8217;s (i) social security number; (ii)\ndriver&#8217;s license number or nondriver identification card number; (iii)\nfinancial account, credit card, or debit card number; (iv) security code, access\ncode, or password that would permit access to a consumer&#8217;s financial\naccount; (v) passport number; (vi) military identification number; or (vii)\nbiometric records; or\n\n3. Any information or data, except age or gender, in any form or medium created\nby or derived from a health care provider or a consumer that can be used to\nidentify a particular consumer, and that relates to (i) the past, present, or\nfuture physical, mental, or behavioral health or condition of any consumer or a\nmember of the consumer&#8217;s family; (i) the provision of health care to any\nconsumer; or (iii) payment for the provision of health care to any consumer.\n\t\t\t&#8220;Nonpublic information&#8221; does not include a consumer&#8217;s\npersonally identifiable information that has been anonymized using a method no\nless secure than the safe harbor method under HIPAA.\n\t\t\t&#8220;Person&#8221; means any individual or any nongovernmental entity,\nincluding any nongovernmental partnership, corporation, branch, agency, or\nassociation.\n\t\t\t&#8220;Publicly available information&#8221; means any information that a\nlicensee has a reasonable basis to believe is lawfully made available to the\ngeneral public from federal, state, or local government records; widely\ndistributed media; or disclosures to the general public that are required to be\nmade by federal, state, or local law. A licensee has a reasonable basis to\nbelieve that information is lawfully made available to the general public if the\nlicensee has taken steps to determine (i) that the information is of the type\nthat is available to the general public and (ii) whether a consumer can direct\nthat the information not be made available to the general public and, if so,\nthat such consumer has not done so.\n\t\t\t&#8220;Third-party service provider&#8221; means (i) a person, not otherwise\ndefined as a licensee, that contracts with a licensee to maintain, process, or\nstore nonpublic information, or otherwise is permitted access to nonpublic\ninformation through its provision of services to the licensee or (ii) an\ninsurance-support organization.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}