{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-626.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-626.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-626.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-626.html"}],"law_id":75700,"edition_id":1,"section_id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","history":"2020, c. 264.","full_text":"A\n\nA licensee that maintains consumers&#8217; nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers&#8217; nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers&#8217; nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:1\n\nThe incident in general terms;2\n\nThe type of nonpublic information that was subject to the unauthorized access and acquisition;3\n\nThe general acts of the licensee to protect the consumer&#8217;s nonpublic information from further unauthorized access;4\n\nA telephone number that the consumer may call for further information and assistance, if one exists; and5\n\nAdvice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer&#8217;s credit reports.B\n\nNotice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.C\n\nIn the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. &#xA7; 1681a (p), of the timing, distribution, and content of the notice.D\n\nNotice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. &#xA7; 1692a.E\n\nNotice required by this section and &#xA7; 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.F\n\nIf there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee&#8217;s deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.","order_by":null,"text":{"0":{"id":271828,"text":"A licensee that maintains consumers&#8217; nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers&#8217; nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers&#8217; nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"A1"},"1":{"id":271829,"text":"The incident in general terms;","type":"section","prefixes":["A","1"],"prefix":"1","entire_prefix":"A1","prefix_anchor":"A1","level":2,"prior_prefix":"A","next_prefix":"A2"},"2":{"id":271830,"text":"The type of nonpublic information that was subject to the unauthorized access and acquisition;","type":"section","prefixes":["A","2"],"prefix":"2","entire_prefix":"A2","prefix_anchor":"A2","level":2,"prior_prefix":"A1","next_prefix":"A3"},"3":{"id":271831,"text":"The general acts of the licensee to protect the consumer&#8217;s nonpublic information from further unauthorized access;","type":"section","prefixes":["A","3"],"prefix":"3","entire_prefix":"A3","prefix_anchor":"A3","level":2,"prior_prefix":"A2","next_prefix":"A4"},"4":{"id":271832,"text":"A telephone number that the consumer may call for further information and assistance, if one exists; and","type":"section","prefixes":["A","4"],"prefix":"4","entire_prefix":"A4","prefix_anchor":"A4","level":2,"prior_prefix":"A3","next_prefix":"A5"},"5":{"id":271833,"text":"Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer&#8217;s credit reports.","type":"section","prefixes":["A","5"],"prefix":"5","entire_prefix":"A5","prefix_anchor":"A5","level":2,"prior_prefix":"A4","next_prefix":"B"},"6":{"id":271834,"text":"Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A5","next_prefix":"C"},"7":{"id":271835,"text":"In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. &#xA7; 1681a (p), of the timing, distribution, and content of the notice.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B","next_prefix":"D"},"8":{"id":271836,"text":"Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. &#xA7; 1692a.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C","next_prefix":"E"},"9":{"id":271837,"text":"Notice required by this section and &#xA7; 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.","type":"section","prefixes":["E"],"prefix":"E","entire_prefix":"E","prefix_anchor":"E","level":1,"prior_prefix":"D","next_prefix":"F"},"10":{"id":271838,"text":"If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee&#8217;s deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.","type":"section","prefixes":["F"],"prefix":"F","entire_prefix":"F","prefix_anchor":"F","level":1,"prior_prefix":"E"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},"next_section":{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-626\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":82527,"section_number":"38.2-625","catch_line":"Notice to Commissioner","order_by":null,"url":"\/38.2-625\/"},{"id":54030,"section_number":"38.2-629","catch_line":"Exceptions","order_by":null,"url":"\/38.2-629\/"}],"refers_to":[{"id":82527,"section_number":"38.2-625","catch_line":"Notice to Commissioner","order_by":null,"url":"\/38.2-625\/"}],"permalink":{"id":218147,"object_type":"law","relational_id":75700,"identifier":"38.2-626","token":"38.2\/6\/2\/38.2-626","url":"\/38.2-626\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","dublin_core":{"Title":"Notice to consumers","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-626","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> A <span class=\"dictionary\">licensee<\/span> that maintains <span class=\"dictionary\">consumers<\/span>&#8217; <span class=\"dictionary\">nonpublic information<\/span> shall notify the <span class=\"dictionary\">consumer<\/span> of any <span class=\"dictionary\">cybersecurity event<\/span> without unreasonable delay after making a determination or receiving notice the <span class=\"dictionary\">cybersecurity event<\/span> has occurred, if <span class=\"dictionary\">consumers<\/span>&#8217; <span class=\"dictionary\">nonpublic information<\/span> was accessed and acquired by an unauthorized <span class=\"dictionary\">person<\/span> or such <span class=\"dictionary\">licensee<\/span> reasonably believes <span class=\"dictionary\">consumers<\/span>&#8217; <span class=\"dictionary\">nonpublic information<\/span> was accessed and acquired by an unauthorized <span class=\"dictionary\">person<\/span> and the <span class=\"dictionary\">cybersecurity event<\/span> has a reasonable likelihood of causing or has caused identity theft or other <span class=\"dictionary\">fraud<\/span> to such <span class=\"dictionary\">consumers<\/span>. Such notice shall include a description of the following: <a id=\"paragraph-271828\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> The incident in general terms; <a id=\"paragraph-271829\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> The type of <span class=\"dictionary\">nonpublic information<\/span> that was subject to the unauthorized access and acquisition; <a id=\"paragraph-271830\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> The general acts of the <span class=\"dictionary\">licensee<\/span> to protect the <span class=\"dictionary\">consumer<\/span>&#8217;s <span class=\"dictionary\">nonpublic information<\/span> from further unauthorized access; <a id=\"paragraph-271831\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> A telephone number that the <span class=\"dictionary\">consumer<\/span> may call for further information and assistance, if one exists; and <a id=\"paragraph-271832\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A5\" class=\"indent-1\"><p><span class=\"prefix-number\">5.<\/span> Advice that directs the <span class=\"dictionary\">consumer<\/span> to remain vigilant by reviewing account statements and monitoring the <span class=\"dictionary\">consumer<\/span>&#8217;s credit reports. <a id=\"paragraph-271833\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#A5\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> Notice to <span class=\"dictionary\">consumers<\/span> under this section shall be given as written notice to the last known postal address in the records of the <span class=\"dictionary\">licensee<\/span>, telephone notice, or electronic notice. However, if the <span class=\"dictionary\">licensee<\/span> required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of <span class=\"dictionary\">consumers<\/span> to be notified exceeds 100,000 <span class=\"dictionary\">consumers<\/span>, or the <span class=\"dictionary\">licensee<\/span> does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the <span class=\"dictionary\">licensee<\/span> has e-mail addresses for the members of the affected class of <span class=\"dictionary\">consumers<\/span>; (ii) conspicuous posting of the notice on the website of the <span class=\"dictionary\">licensee<\/span> if the <span class=\"dictionary\">licensee<\/span> maintains a website; and (iii) notice to major statewide media. <a id=\"paragraph-271834\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> In the event that a <span class=\"dictionary\">licensee<\/span> provides notice to more than 1,000 <span class=\"dictionary\">consumers<\/span> at one time pursuant to this section, the <span class=\"dictionary\">licensee<\/span> shall also notify, without unreasonable delay, all <span class=\"dictionary\">consumer<\/span> reporting agencies that compile and maintain files on <span class=\"dictionary\">consumers<\/span> on a nationwide basis, as defined in 15 U.S.C. &#xA7; 1681a (p), of the timing, distribution, and content of the notice. <a id=\"paragraph-271835\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. &#xA7; 1692a. <a id=\"paragraph-271836\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E\"><p><span class=\"prefix-number\">E.<\/span> Notice required by this section and &#xA7; <a class=\"law\" title=\"Notice to Commissioner\" href=\"\/38.2-625\/\">38.2-625<\/a> may be delayed if, after the <span class=\"dictionary\">person<\/span> notifies a <span class=\"dictionary\">law<\/span>-enforcement agency, the <span class=\"dictionary\">law<\/span>-enforcement agency determines and advises the <span class=\"dictionary\">person<\/span> that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the <span class=\"dictionary\">law<\/span>-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security. <a id=\"paragraph-271837\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#E\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"F\"><p><span class=\"prefix-number\">F.<\/span> If there is a <span class=\"dictionary\">cybersecurity event<\/span> in a system maintained by a <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span>, the <span class=\"dictionary\">licensee<\/span>, once it has become aware of such <span class=\"dictionary\">cybersecurity event<\/span>, shall treat such event as it would under this section, unless the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> provides notice in accordance with this section. The computation of a <span class=\"dictionary\">licensee<\/span>&#8217;s deadlines shall begin on the day after the <span class=\"dictionary\">third-<span class=\"dictionary\">party<\/span> service provider<\/span> notifies a <span class=\"dictionary\">licensee<\/span> of the <span class=\"dictionary\">cybersecurity event<\/span> or the <span class=\"dictionary\">licensee<\/span> otherwise has actual knowledge of the <span class=\"dictionary\">cybersecurity event<\/span>, whichever is sooner. <a id=\"paragraph-271838\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-626\/#F\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nNOTICE TO CONSUMERS (\u00a7 38.2-626)\n\nA. A licensee that maintains consumers&#8217; nonpublic information shall notify\nthe consumer of any cybersecurity event without unreasonable delay after making\na determination or receiving notice the cybersecurity event has occurred, if\nconsumers&#8217; nonpublic information was accessed and acquired by an\nunauthorized person or such licensee reasonably believes consumers&#8217;\nnonpublic information was accessed and acquired by an unauthorized person and\nthe cybersecurity event has a reasonable likelihood of causing or has caused\nidentity theft or other fraud to such consumers. Such notice shall include a\ndescription of the following:\n\n   1. The incident in general terms;\n\n   2. The type of nonpublic information that was subject to the unauthorized\n   access and acquisition;\n\n   3. The general acts of the licensee to protect the consumer&#8217;s nonpublic\n   information from further unauthorized access;\n\n   4. A telephone number that the consumer may call for further information and\n   assistance, if one exists; and\n\n   5. Advice that directs the consumer to remain vigilant by reviewing account\n   statements and monitoring the consumer&#8217;s credit reports.\n\nB. Notice to consumers under this section shall be given as written notice to\nthe last known postal address in the records of the licensee, telephone notice,\nor electronic notice. However, if the licensee required to provide notice\ndemonstrates that the cost of providing notice will exceed $50,000, the affected\nclass of consumers to be notified exceeds 100,000 consumers, or the licensee\ndoes not have sufficient contact information or consent to provide notice,\nsubstitute notice may be provided. Substitute notice shall consist of (i) e-mail\nnotice if the licensee has e-mail addresses for the members of the affected\nclass of consumers; (ii) conspicuous posting of the notice on the website of the\nlicensee if the licensee maintains a website; and (iii) notice to major\nstatewide media.\n\nC. In the event that a licensee provides notice to more than 1,000 consumers at\none time pursuant to this section, the licensee shall also notify, without\nunreasonable delay, all consumer reporting agencies that compile and maintain\nfiles on consumers on a nationwide basis, as defined in 15 U.S.C. &#xA7; 1681a\n(p), of the timing, distribution, and content of the notice.\n\nD. Notice required by this section shall not be considered a debt communication\nas defined by the Fair Debt Collection Practices Act in 15 U.S.C. &#xA7; 1692a.\n\nE. Notice required by this section and &#xA7; 38.2-625 may be delayed if, after\nthe person notifies a law-enforcement agency, the law-enforcement agency\ndetermines and advises the person that the notice will impede a criminal or\ncivil investigation or jeopardize national or homeland security. Notice shall be\nmade without unreasonable delay after the law-enforcement agency determines that\nthe notification will no longer impede the investigation or jeopardize national\nor homeland security.\n\nF. If there is a cybersecurity event in a system maintained by a third-party\nservice provider, the licensee, once it has become aware of such cybersecurity\nevent, shall treat such event as it would under this section, unless the\nthird-party service provider provides notice in accordance with this section.\nThe computation of a licensee&#8217;s deadlines shall begin on the day after the\nthird-party service provider notifies a licensee of the cybersecurity event or\nthe licensee otherwise has actual knowledge of the cybersecurity event,\nwhichever is sooner.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}