{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-624.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-624.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-624.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-624.html"}],"law_id":59652,"edition_id":1,"section_id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","history":"2020, c. 264.","full_text":"A\n\nIf a licensee learns that a cybersecurity event has or may have occurred, the licensee or an investigator shall conduct a prompt investigation.B\n\nDuring the investigation, the licensee or an investigator shall, at a minimum, determine as much of the following information as possible:1\n\nDetermine whether a cybersecurity event has occurred;2\n\nAssess the nature and scope of the cybersecurity event;3\n\nIdentify any nonpublic information that may have been involved in the cybersecurity event; and4\n\nPerform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee&#8217;s possession, custody, or control.C\n\nIf a licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the third-party service provider has completed those steps.D\n\nEach licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner.","order_by":null,"text":{"0":{"id":218463,"text":"If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an investigator shall conduct a prompt investigation.","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"B"},"1":{"id":218464,"text":"During the investigation, the licensee or an investigator shall, at a minimum, determine as much of the following information as possible:","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A","next_prefix":"B1"},"2":{"id":218465,"text":"Determine whether a cybersecurity event has occurred;","type":"section","prefixes":["B","1"],"prefix":"1","entire_prefix":"B1","prefix_anchor":"B1","level":2,"prior_prefix":"B","next_prefix":"B2"},"3":{"id":218466,"text":"Assess the nature and scope of the cybersecurity event;","type":"section","prefixes":["B","2"],"prefix":"2","entire_prefix":"B2","prefix_anchor":"B2","level":2,"prior_prefix":"B1","next_prefix":"B3"},"4":{"id":218467,"text":"Identify any nonpublic information that may have been involved in the cybersecurity event; and","type":"section","prefixes":["B","3"],"prefix":"3","entire_prefix":"B3","prefix_anchor":"B3","level":2,"prior_prefix":"B2","next_prefix":"B4"},"5":{"id":218468,"text":"Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee&#8217;s possession, custody, or control.","type":"section","prefixes":["B","4"],"prefix":"4","entire_prefix":"B4","prefix_anchor":"B4","level":2,"prior_prefix":"B3","next_prefix":"C"},"6":{"id":218469,"text":"If a licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the third-party service provider has completed those steps.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B4","next_prefix":"D"},"7":{"id":218470,"text":"Each licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},"next_section":{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-624\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":82527,"section_number":"38.2-625","catch_line":"Notice to Commissioner","order_by":null,"url":"\/38.2-625\/"},{"id":54030,"section_number":"38.2-629","catch_line":"Exceptions","order_by":null,"url":"\/38.2-629\/"}],"refers_to":false,"permalink":{"id":218139,"object_type":"law","relational_id":59652,"identifier":"38.2-624","token":"38.2\/6\/2\/38.2-624","url":"\/38.2-624\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","dublin_core":{"Title":"Investigation of a cybersecurity event","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-624","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> If a <span class=\"dictionary\">licensee<\/span> learns that a <span class=\"dictionary\">cybersecurity event<\/span> has or may have occurred, the <span class=\"dictionary\">licensee<\/span> or an investigator shall conduct a prompt investigation. <a id=\"paragraph-218463\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> During the investigation, the <span class=\"dictionary\">licensee<\/span> or an investigator shall, at a minimum, determine as much of the following information as possible: <a id=\"paragraph-218464\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> Determine whether a <span class=\"dictionary\">cybersecurity event<\/span> has occurred; <a id=\"paragraph-218465\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#B1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> Assess the nature and scope of the <span class=\"dictionary\">cybersecurity event<\/span>; <a id=\"paragraph-218466\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#B2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> Identify any <span class=\"dictionary\">nonpublic information<\/span> that may have been involved in the <span class=\"dictionary\">cybersecurity event<\/span>; and <a id=\"paragraph-218467\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#B3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> Perform or oversee reasonable measures to restore the security of the <span class=\"dictionary\">information systems<\/span> compromised in the <span class=\"dictionary\">cybersecurity event<\/span> in <span class=\"dictionary\">order<\/span> to prevent further unauthorized acquisition, release, or use of <span class=\"dictionary\">nonpublic information<\/span> in the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control. <a id=\"paragraph-218468\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#B4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> If a <span class=\"dictionary\">licensee<\/span> learns that a <span class=\"dictionary\">cybersecurity event<\/span> has or may have occurred in a system maintained by a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>, the <span class=\"dictionary\">licensee<\/span> will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> has completed those steps. <a id=\"paragraph-218469\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> Each <span class=\"dictionary\">licensee<\/span> shall maintain records concerning all <span class=\"dictionary\">cybersecurity events<\/span> for a period of at least five years from the date of the <span class=\"dictionary\">cybersecurity event<\/span> and shall produce those records upon demand of the <span class=\"dictionary\">Commissioner<\/span>. <a id=\"paragraph-218470\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-624\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nINVESTIGATION OF A CYBERSECURITY EVENT (\u00a7 38.2-624)\n\nA. If a licensee learns that a cybersecurity event has or may have occurred, the\nlicensee or an investigator shall conduct a prompt investigation.\n\nB. During the investigation, the licensee or an investigator shall, at a\nminimum, determine as much of the following information as possible:\n\n   1. Determine whether a cybersecurity event has occurred;\n\n   2. Assess the nature and scope of the cybersecurity event;\n\n   3. Identify any nonpublic information that may have been involved in the\n   cybersecurity event; and\n\n   4. Perform or oversee reasonable measures to restore the security of the\n   information systems compromised in the cybersecurity event in order to prevent\n   further unauthorized acquisition, release, or use of nonpublic information in\n   the licensee&#8217;s possession, custody, or control.\n\nC. If a licensee learns that a cybersecurity event has or may have occurred in a\nsystem maintained by a third-party service provider, the licensee will complete\nthe steps listed in subsection B or make reasonable efforts to confirm and\ndocument that the third-party service provider has completed those steps.\n\nD. Each licensee shall maintain records concerning all cybersecurity events for\na period of at least five years from the date of the cybersecurity event and\nshall produce those records upon demand of the Commissioner.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}