{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-625.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-625.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-625.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-625.html"}],"law_id":82527,"edition_id":1,"section_id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","history":"2020, c. 264.","full_text":"A\n\nIf a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if:1\n\nThe licensee is a domestic insurance company, or in the case of a producer, the Commonwealth is the licensee&#8217;s home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or2\n\nThe licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth or the licensee is required under federal law or the laws of another state to provide notice of the cybersecurity event to any government body, self-regulatory agency, or other supervisory body.B\n\nNotice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible:1\n\nThe date of the cybersecurity event;2\n\nA description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;3\n\nHow the cybersecurity event was discovered;4\n\nWhether any lost, stolen, or breached information has been recovered and, if so, how this was done;5\n\nThe identity of the source of the cybersecurity event;6\n\nWhether the licensee has filed a police report or has notified any regulatory, government, or law-enforcement agencies and, if so, when such notification was provided;7\n\nA description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the consumer;8\n\nThe period during which the information system was compromised by the cybersecurity event;9\n\nThe number of consumers in the Commonwealth affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;10\n\nThe results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;11\n\nA description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;12\n\nA copy of the licensee&#8217;s consumer privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and13\n\nThe name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.C\n\nA licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.D\n\nEach licensee shall notify consumers in compliance with &#xA7; 38.2-626, and provide a copy of the notice sent to consumers under such section to the Commissioner, when a licensee is required to notify the Commissioner under this section.E\n\nIf there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee&#8217;s deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.F\n\nIf a cybersecurity event involves nonpublic information that is used by a licensee that is acting as an assuming insurer or is in the possession, control, or custody of a licensee that is acting as an assuming insurer or its third-party service provider and the licensee does not have a direct contractual relationship with the affected consumers, the licensee shall notify its affected ceding insurers and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its third-party service provider that a cybersecurity event has occurred. Ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under &#xA7; 38.2-626 and any other notification requirements relating to a cybersecurity event imposed under this section.G\n\nIf there is a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider and for which a consumer accessed the insurer&#8217;s services through an independent insurance producer, the insurer shall notify the producers of record of all affected consumers as soon as practicable as directed by the Commissioner. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer.H\n\nNothing in this article shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under &#xA7; 38.2-624 or notice requirements imposed under this section.","order_by":null,"text":{"0":{"id":295654,"text":"If a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if:","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"A1"},"1":{"id":295655,"text":"The licensee is a domestic insurance company, or in the case of a producer, the Commonwealth is the licensee&#8217;s home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or","type":"section","prefixes":["A","1"],"prefix":"1","entire_prefix":"A1","prefix_anchor":"A1","level":2,"prior_prefix":"A","next_prefix":"A2"},"2":{"id":295656,"text":"The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth or the licensee is required under federal law or the laws of another state to provide notice of the cybersecurity event to any government body, self-regulatory agency, or other supervisory body.","type":"section","prefixes":["A","2"],"prefix":"2","entire_prefix":"A2","prefix_anchor":"A2","level":2,"prior_prefix":"A1","next_prefix":"B"},"3":{"id":295657,"text":"Notice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible:","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A2","next_prefix":"B1"},"4":{"id":295658,"text":"The date of the cybersecurity event;","type":"section","prefixes":["B","1"],"prefix":"1","entire_prefix":"B1","prefix_anchor":"B1","level":2,"prior_prefix":"B","next_prefix":"B2"},"5":{"id":295659,"text":"A description of how the nonpublic information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;","type":"section","prefixes":["B","2"],"prefix":"2","entire_prefix":"B2","prefix_anchor":"B2","level":2,"prior_prefix":"B1","next_prefix":"B3"},"6":{"id":295660,"text":"How the cybersecurity event was discovered;","type":"section","prefixes":["B","3"],"prefix":"3","entire_prefix":"B3","prefix_anchor":"B3","level":2,"prior_prefix":"B2","next_prefix":"B4"},"7":{"id":295661,"text":"Whether any lost, stolen, or breached information has been recovered and, if so, how this was done;","type":"section","prefixes":["B","4"],"prefix":"4","entire_prefix":"B4","prefix_anchor":"B4","level":2,"prior_prefix":"B3","next_prefix":"B5"},"8":{"id":295662,"text":"The identity of the source of the cybersecurity event;","type":"section","prefixes":["B","5"],"prefix":"5","entire_prefix":"B5","prefix_anchor":"B5","level":2,"prior_prefix":"B4","next_prefix":"B6"},"9":{"id":295663,"text":"Whether the licensee has filed a police report or has notified any regulatory, government, or law-enforcement agencies and, if so, when such notification was provided;","type":"section","prefixes":["B","6"],"prefix":"6","entire_prefix":"B6","prefix_anchor":"B6","level":2,"prior_prefix":"B5","next_prefix":"B7"},"10":{"id":295664,"text":"A description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the consumer;","type":"section","prefixes":["B","7"],"prefix":"7","entire_prefix":"B7","prefix_anchor":"B7","level":2,"prior_prefix":"B6","next_prefix":"B8"},"11":{"id":295665,"text":"The period during which the information system was compromised by the cybersecurity event;","type":"section","prefixes":["B","8"],"prefix":"8","entire_prefix":"B8","prefix_anchor":"B8","level":2,"prior_prefix":"B7","next_prefix":"B9"},"12":{"id":295666,"text":"The number of consumers in the Commonwealth affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section;","type":"section","prefixes":["B","9"],"prefix":"9","entire_prefix":"B9","prefix_anchor":"B9","level":2,"prior_prefix":"B8","next_prefix":"B10"},"13":{"id":295667,"text":"The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;","type":"section","prefixes":["B","10"],"prefix":"10","entire_prefix":"B10","prefix_anchor":"B10","level":2,"prior_prefix":"B9","next_prefix":"B11"},"14":{"id":295668,"text":"A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;","type":"section","prefixes":["B","11"],"prefix":"11","entire_prefix":"B11","prefix_anchor":"B11","level":2,"prior_prefix":"B10","next_prefix":"B12"},"15":{"id":295669,"text":"A copy of the licensee&#8217;s consumer privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and","type":"section","prefixes":["B","12"],"prefix":"12","entire_prefix":"B12","prefix_anchor":"B12","level":2,"prior_prefix":"B11","next_prefix":"B13"},"16":{"id":295670,"text":"The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.","type":"section","prefixes":["B","13"],"prefix":"13","entire_prefix":"B13","prefix_anchor":"B13","level":2,"prior_prefix":"B12","next_prefix":"C"},"17":{"id":295671,"text":"A licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B13","next_prefix":"D"},"18":{"id":295672,"text":"Each licensee shall notify consumers in compliance with &#xA7; 38.2-626, and provide a copy of the notice sent to consumers under such section to the Commissioner, when a licensee is required to notify the Commissioner under this section.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C","next_prefix":"E"},"19":{"id":295673,"text":"If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee&#8217;s deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.","type":"section","prefixes":["E"],"prefix":"E","entire_prefix":"E","prefix_anchor":"E","level":1,"prior_prefix":"D","next_prefix":"F"},"20":{"id":295674,"text":"If a cybersecurity event involves nonpublic information that is used by a licensee that is acting as an assuming insurer or is in the possession, control, or custody of a licensee that is acting as an assuming insurer or its third-party service provider and the licensee does not have a direct contractual relationship with the affected consumers, the licensee shall notify its affected ceding insurers and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its third-party service provider that a cybersecurity event has occurred. Ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under &#xA7; 38.2-626 and any other notification requirements relating to a cybersecurity event imposed under this section.","type":"section","prefixes":["F"],"prefix":"F","entire_prefix":"F","prefix_anchor":"F","level":1,"prior_prefix":"E","next_prefix":"G"},"21":{"id":295675,"text":"If there is a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider and for which a consumer accessed the insurer&#8217;s services through an independent insurance producer, the insurer shall notify the producers of record of all affected consumers as soon as practicable as directed by the Commissioner. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer.","type":"section","prefixes":["G"],"prefix":"G","entire_prefix":"G","prefix_anchor":"G","level":1,"prior_prefix":"F","next_prefix":"H"},"22":{"id":295676,"text":"Nothing in this article shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under &#xA7; 38.2-624 or notice requirements imposed under this section.","type":"section","prefixes":["H"],"prefix":"H","entire_prefix":"H","prefix_anchor":"H","level":1,"prior_prefix":"G"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},"next_section":{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-625\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":75700,"section_number":"38.2-626","catch_line":"Notice to consumers","order_by":null,"url":"\/38.2-626\/"},{"id":57578,"section_number":"38.2-628","catch_line":"Confidentiality","order_by":null,"url":"\/38.2-628\/"},{"id":54030,"section_number":"38.2-629","catch_line":"Exceptions","order_by":null,"url":"\/38.2-629\/"}],"refers_to":[{"id":59652,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","order_by":null,"url":"\/38.2-624\/"},{"id":75700,"section_number":"38.2-626","catch_line":"Notice to consumers","order_by":null,"url":"\/38.2-626\/"}],"permalink":{"id":218143,"object_type":"law","relational_id":82527,"identifier":"38.2-625","token":"38.2\/6\/2\/38.2-625","url":"\/38.2-625\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","dublin_core":{"Title":"Notice to Commissioner","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-625","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> If a <span class=\"dictionary\">licensee<\/span> has determined that a <span class=\"dictionary\">cybersecurity event<\/span> has actually occurred, such <span class=\"dictionary\">licensee<\/span> shall notify the <span class=\"dictionary\">Commissioner<\/span>, in accordance with requirements prescribed by the <span class=\"dictionary\">Commission<\/span>, as promptly as possible but in no event later than three business days from such determination if: <a id=\"paragraph-295654\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> The <span class=\"dictionary\">licensee<\/span> is a domestic <span class=\"dictionary\">insurance company<\/span>, or in the case of a producer, the Commonwealth is the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">home state<\/span> and the <span class=\"dictionary\">cybersecurity event<\/span> meets threshold and other requirements prescribed by the <span class=\"dictionary\">Commission<\/span>; or <a id=\"paragraph-295655\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#A1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> The <span class=\"dictionary\">licensee<\/span> reasonably believes that the <span class=\"dictionary\">nonpublic information<\/span> involved is of 250 or more <span class=\"dictionary\">consumers<\/span> residing in the Commonwealth or the <span class=\"dictionary\">licensee<\/span> is required under federal <span class=\"dictionary\">law<\/span> or the <span class=\"dictionary\">laws<\/span> of another state to provide notice of the <span class=\"dictionary\">cybersecurity event<\/span> to any government body, self-regulatory agency, or other supervisory body. <a id=\"paragraph-295656\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#A2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> Notice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible: <a id=\"paragraph-295657\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> The date of the <span class=\"dictionary\">cybersecurity event<\/span>; <a id=\"paragraph-295658\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> A description of how the <span class=\"dictionary\">nonpublic information<\/span> was exposed, lost, stolen, or breached, including the specific roles and responsibilities of <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service providers<\/span>, if any; <a id=\"paragraph-295659\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> How the <span class=\"dictionary\">cybersecurity event<\/span> was discovered; <a id=\"paragraph-295660\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> Whether any lost, stolen, or breached information has been recovered and, if so, how this was done; <a id=\"paragraph-295661\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B5\" class=\"indent-1\"><p><span class=\"prefix-number\">5.<\/span> The identity of the source of the <span class=\"dictionary\">cybersecurity event<\/span>; <a id=\"paragraph-295662\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B5\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B6\" class=\"indent-1\"><p><span class=\"prefix-number\">6.<\/span> Whether the <span class=\"dictionary\">licensee<\/span> has filed a police report or has notified any regulatory, government, or <span class=\"dictionary\">law<\/span>-enforcement agencies and, if so, when such notification was provided; <a id=\"paragraph-295663\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B6\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B7\" class=\"indent-1\"><p><span class=\"prefix-number\">7.<\/span> A description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the <span class=\"dictionary\">consumer<\/span>; <a id=\"paragraph-295664\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B7\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B8\" class=\"indent-1\"><p><span class=\"prefix-number\">8.<\/span> The period during which the <span class=\"dictionary\">information system<\/span> was compromised by the <span class=\"dictionary\">cybersecurity event<\/span>; <a id=\"paragraph-295665\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B8\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B9\" class=\"indent-1\"><p><span class=\"prefix-number\">9.<\/span> The number of <span class=\"dictionary\">consumers<\/span> in the Commonwealth affected by the <span class=\"dictionary\">cybersecurity event<\/span>. The <span class=\"dictionary\">licensee<\/span> shall provide the best estimate in the initial report to the <span class=\"dictionary\">Commissioner<\/span> and update this estimate with each subsequent report to the <span class=\"dictionary\">Commissioner<\/span> pursuant to this section; <a id=\"paragraph-295666\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B9\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B10\" class=\"indent-1\"><p><span class=\"prefix-number\">10.<\/span> The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; <a id=\"paragraph-295667\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B10\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B11\" class=\"indent-1\"><p><span class=\"prefix-number\">11.<\/span> A description of efforts being undertaken to remediate the situation that permitted the <span class=\"dictionary\">cybersecurity event<\/span> to occur; <a id=\"paragraph-295668\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B11\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B12\" class=\"indent-1\"><p><span class=\"prefix-number\">12.<\/span> A copy of the <span class=\"dictionary\">licensee<\/span>&#8217;s <span class=\"dictionary\">consumer<\/span> privacy policy and a statement outlining the steps the <span class=\"dictionary\">licensee<\/span> will take to investigate and notify <span class=\"dictionary\">consumers<\/span> affected by the <span class=\"dictionary\">cybersecurity event<\/span>; and <a id=\"paragraph-295669\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B12\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B13\" class=\"indent-1\"><p><span class=\"prefix-number\">13.<\/span> The name of a contact <span class=\"dictionary\">person<\/span> who is both familiar with the <span class=\"dictionary\">cybersecurity event<\/span> and authorized to act for the <span class=\"dictionary\">licensee<\/span>. <a id=\"paragraph-295670\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#B13\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> A <span class=\"dictionary\">licensee<\/span> shall have a continuing obligation to update and supplement initial and subsequent notifications to the <span class=\"dictionary\">Commissioner<\/span> concerning the <span class=\"dictionary\">cybersecurity event<\/span>. <a id=\"paragraph-295671\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> Each <span class=\"dictionary\">licensee<\/span> shall notify <span class=\"dictionary\">consumers<\/span> in compliance with &#xA7; <a class=\"law\" title=\"Notice to consumers\" href=\"\/38.2-626\/\">38.2-626<\/a>, and provide a copy of the notice sent to <span class=\"dictionary\">consumers<\/span> under such section to the <span class=\"dictionary\">Commissioner<\/span>, when a <span class=\"dictionary\">licensee<\/span> is required to notify the <span class=\"dictionary\">Commissioner<\/span> under this section. <a id=\"paragraph-295672\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E\"><p><span class=\"prefix-number\">E.<\/span> If there is a <span class=\"dictionary\">cybersecurity event<\/span> in a system maintained by a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>, the <span class=\"dictionary\">licensee<\/span>, once it has become aware of such <span class=\"dictionary\">cybersecurity event<\/span>, shall treat such event as it would under this section, unless the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> provides notice in accordance with this section. The computation of a <span class=\"dictionary\">licensee<\/span>&#8217;s deadlines shall begin on the day after the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> notifies a <span class=\"dictionary\">licensee<\/span> of the <span class=\"dictionary\">cybersecurity event<\/span> or the <span class=\"dictionary\">licensee<\/span> otherwise has actual knowledge of the <span class=\"dictionary\">cybersecurity event<\/span>, whichever is sooner. <a id=\"paragraph-295673\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#E\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"F\"><p><span class=\"prefix-number\">F.<\/span> If a <span class=\"dictionary\">cybersecurity event<\/span> involves <span class=\"dictionary\">nonpublic information<\/span> that is used by a <span class=\"dictionary\">licensee<\/span> that is acting as an assuming <span class=\"dictionary\">insurer<\/span> or is in the <span class=\"dictionary\">possession<\/span>, control, or <span class=\"dictionary\">custody<\/span> of a <span class=\"dictionary\">licensee<\/span> that is acting as an assuming <span class=\"dictionary\">insurer<\/span> or its <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> and the <span class=\"dictionary\">licensee<\/span> does not have a direct contractual relationship with the affected <span class=\"dictionary\">consumers<\/span>, the <span class=\"dictionary\">licensee<\/span> shall notify its affected ceding <span class=\"dictionary\">insurers<\/span> and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> that a <span class=\"dictionary\">cybersecurity event<\/span> has occurred. Ceding <span class=\"dictionary\">insurers<\/span> that have a direct contractual relationship with affected <span class=\"dictionary\">consumers<\/span> shall fulfill the <span class=\"dictionary\">consumer<\/span> notification requirements imposed under &#xA7; <a class=\"law\" title=\"Notice to consumers\" href=\"\/38.2-626\/\">38.2-626<\/a> and any other notification requirements relating to a <span class=\"dictionary\">cybersecurity event<\/span> imposed under this section. <a id=\"paragraph-295674\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#F\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G\"><p><span class=\"prefix-number\">G.<\/span> If there is a <span class=\"dictionary\">cybersecurity event<\/span> involving <span class=\"dictionary\">nonpublic information<\/span> that is in the <span class=\"dictionary\">possession<\/span>, <span class=\"dictionary\">custody<\/span>, or control of a <span class=\"dictionary\">licensee<\/span> that is an <span class=\"dictionary\">insurer<\/span> or its <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> and for which a <span class=\"dictionary\">consumer<\/span> accessed the <span class=\"dictionary\">insurer<\/span>&#8217;s services through an independent insurance producer, the <span class=\"dictionary\">insurer<\/span> shall notify the producers of record of all affected <span class=\"dictionary\">consumers<\/span> as soon as practicable as directed by the <span class=\"dictionary\">Commissioner<\/span>. The <span class=\"dictionary\">insurer<\/span> is excused from this obligation for those instances in which it does not have the current producer of record information for any individual <span class=\"dictionary\">consumer<\/span>. <a id=\"paragraph-295675\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#G\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"H\"><p><span class=\"prefix-number\">H.<\/span> Nothing in this article shall prevent or abrogate an agreement between a <span class=\"dictionary\">licensee<\/span> and another <span class=\"dictionary\">licensee<\/span>, a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>, or any other <span class=\"dictionary\">party<\/span> to fulfill any of the investigation requirements imposed under &#xA7; <a class=\"law\" title=\"Investigation of a cybersecurity event\" href=\"\/38.2-624\/\">38.2-624<\/a> or notice requirements imposed under this section. <a id=\"paragraph-295676\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-625\/#H\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nNOTICE TO COMMISSIONER (\u00a7 38.2-625)\n\nA. If a licensee has determined that a cybersecurity event has actually\noccurred, such licensee shall notify the Commissioner, in accordance with\nrequirements prescribed by the Commission, as promptly as possible but in no\nevent later than three business days from such determination if:\n\n   1. The licensee is a domestic insurance company, or in the case of a producer,\n   the Commonwealth is the licensee&#8217;s home state and the cybersecurity\n   event meets threshold and other requirements prescribed by the Commission; or\n\n   2. The licensee reasonably believes that the nonpublic information involved is\n   of 250 or more consumers residing in the Commonwealth or the licensee is\n   required under federal law or the laws of another state to provide notice of\n   the cybersecurity event to any government body, self-regulatory agency, or\n   other supervisory body.\n\nB. Notice provided pursuant to this section shall be in electronic form and\nshall include as much of the following information as possible:\n\n   1. The date of the cybersecurity event;\n\n   2. A description of how the nonpublic information was exposed, lost, stolen,\n   or breached, including the specific roles and responsibilities of third-party\n   service providers, if any;\n\n   3. How the cybersecurity event was discovered;\n\n   4. Whether any lost, stolen, or breached information has been recovered and,\n   if so, how this was done;\n\n   5. The identity of the source of the cybersecurity event;\n\n   6. Whether the licensee has filed a police report or has notified any\n   regulatory, government, or law-enforcement agencies and, if so, when such\n   notification was provided;\n\n   7. A description of the specific types of information acquired without\n   authorization. Specific types of information include particular data elements\n   such as medical information, financial information, or other information\n   allowing identification of the consumer;\n\n   8. The period during which the information system was compromised by the\n   cybersecurity event;\n\n   9. The number of consumers in the Commonwealth affected by the cybersecurity\n   event. The licensee shall provide the best estimate in the initial report to\n   the Commissioner and update this estimate with each subsequent report to the\n   Commissioner pursuant to this section;\n\n   10. The results of any internal review identifying a lapse in either automated\n   controls or internal procedures, or confirming that all automated controls or\n   internal procedures were followed;\n\n   11. A description of efforts being undertaken to remediate the situation that\n   permitted the cybersecurity event to occur;\n\n   12. A copy of the licensee&#8217;s consumer privacy policy and a statement\n   outlining the steps the licensee will take to investigate and notify consumers\n   affected by the cybersecurity event; and\n\n   13. The name of a contact person who is both familiar with the cybersecurity\n   event and authorized to act for the licensee.\n\nC. A licensee shall have a continuing obligation to update and supplement\ninitial and subsequent notifications to the Commissioner concerning the\ncybersecurity event.\n\nD. Each licensee shall notify consumers in compliance with &#xA7; 38.2-626, and\nprovide a copy of the notice sent to consumers under such section to the\nCommissioner, when a licensee is required to notify the Commissioner under this\nsection.\n\nE. If there is a cybersecurity event in a system maintained by a third-party\nservice provider, the licensee, once it has become aware of such cybersecurity\nevent, shall treat such event as it would under this section, unless the\nthird-party service provider provides notice in accordance with this section.\nThe computation of a licensee&#8217;s deadlines shall begin on the day after the\nthird-party service provider notifies a licensee of the cybersecurity event or\nthe licensee otherwise has actual knowledge of the cybersecurity event,\nwhichever is sooner.\n\nF. If a cybersecurity event involves nonpublic information that is used by a\nlicensee that is acting as an assuming insurer or is in the possession, control,\nor custody of a licensee that is acting as an assuming insurer or its\nthird-party service provider and the licensee does not have a direct contractual\nrelationship with the affected consumers, the licensee shall notify its affected\nceding insurers and the head of its supervisory state agency of its state of\ndomicile within three business days of making the determination or receiving\nnotice from its third-party service provider that a cybersecurity event has\noccurred. Ceding insurers that have a direct contractual relationship with\naffected consumers shall fulfill the consumer notification requirements imposed\nunder &#xA7; 38.2-626 and any other notification requirements relating to a\ncybersecurity event imposed under this section.\n\nG. If there is a cybersecurity event involving nonpublic information that is in\nthe possession, custody, or control of a licensee that is an insurer or its\nthird-party service provider and for which a consumer accessed the\ninsurer&#8217;s services through an independent insurance producer, the insurer\nshall notify the producers of record of all affected consumers as soon as\npracticable as directed by the Commissioner. The insurer is excused from this\nobligation for those instances in which it does not have the current producer of\nrecord information for any individual consumer.\n\nH. Nothing in this article shall prevent or abrogate an agreement between a\nlicensee and another licensee, a third-party service provider, or any other\nparty to fulfill any of the investigation requirements imposed under &#xA7;\n38.2-624 or notice requirements imposed under this section.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}