{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-627.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-627.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-627.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-627.html"}],"law_id":64871,"edition_id":1,"section_id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","history":"2020, c. 264.","full_text":"A\n\nThe Commissioner may examine and investigate the affairs of any licensee to determine whether a licensee has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the Commissioner has under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800 et seq.). Any such investigation or examination shall be conducted pursuant to Chapters 13 and 18.B\n\nWhenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in the Commonwealth that violates this article, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this article.C\n\nThe Commission may examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent as defined in &#xA7; 38.2-602 and that either (i) transacts business in the Commonwealth or (ii) transacts business outside the Commonwealth and has an effect on a person residing in the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this article.D\n\nThe Commission shall adopt rules and regulations implementing the provisions of this article.E\n\nThis article and any rules adopted pursuant to this article establish the exclusive state standards applicable to licensees for data security, the security of nonpublic information, the investigation of cybersecurity events, and notification of cybersecurity events for those individuals and entities subject to this article.","order_by":null,"text":{"0":{"id":236050,"text":"The Commissioner may examine and investigate the affairs of any licensee to determine whether a licensee has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the Commissioner has under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800 et seq.). Any such investigation or examination shall be conducted pursuant to Chapters 13 and 18.","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"B"},"1":{"id":236051,"text":"Whenever the Commissioner has reason to believe that a licensee has been or is engaged in conduct in the Commonwealth that violates this article, the Commissioner may take action that is necessary or appropriate to enforce the provisions of this article.","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A","next_prefix":"C"},"2":{"id":236052,"text":"The Commission may examine and investigate the affairs of any insurance-support organization that acts on behalf of an insurance institution or agent as defined in &#xA7; 38.2-602 and that either (i) transacts business in the Commonwealth or (ii) transacts business outside the Commonwealth and has an effect on a person residing in the Commonwealth, in order to determine whether the insurance-support organization has been or is engaged in any conduct in violation of this article.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B","next_prefix":"D"},"3":{"id":236053,"text":"The Commission shall adopt rules and regulations implementing the provisions of this article.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C","next_prefix":"E"},"4":{"id":236054,"text":"This article and any rules adopted pursuant to this article establish the exclusive state standards applicable to licensees for data security, the security of nonpublic information, the investigation of cybersecurity events, and notification of cybersecurity events for those individuals and entities subject to this article.","type":"section","prefixes":["E"],"prefix":"E","entire_prefix":"E","prefix_anchor":"E","level":1,"prior_prefix":"D"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},"next_section":{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-627\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":57578,"section_number":"38.2-628","catch_line":"Confidentiality","order_by":null,"url":"\/38.2-628\/"}],"refers_to":[{"id":81115,"section_number":"38.2-1300","catch_line":"Annual statements","order_by":null,"url":"\/38.2-1300\/"},{"id":67482,"section_number":"38.2-1800","catch_line":"Definitions","order_by":null,"url":"\/38.2-1800\/"},{"id":73837,"section_number":"38.2-602","catch_line":"Definitions","order_by":null,"url":"\/38.2-602\/"}],"permalink":{"id":218151,"object_type":"law","relational_id":64871,"identifier":"38.2-627","token":"38.2\/6\/2\/38.2-627","url":"\/38.2-627\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","dublin_core":{"Title":"Powers and duties of the Commission; exclusive state standards","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-627","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> The <span class=\"dictionary\">Commissioner<\/span> may examine and investigate the affairs of any <span class=\"dictionary\">licensee<\/span> to determine whether a <span class=\"dictionary\">licensee<\/span> has been or is engaged in any conduct in violation of this article. This power is in addition to the powers that the <span class=\"dictionary\">Commissioner<\/span> has under Article 4 of Chapter 13 (<a class=\"law\" title=\"Annual statements\" href=\"\/38.2-1300\/\">38.2-1300<\/a> et seq.) and Chapter 18 (<a class=\"law\" title=\"Definitions\" href=\"\/38.2-1800\/\">38.2-1800<\/a> et seq.). Any such investigation or examination shall be conducted pursuant to Chapters 13 and 18. <a id=\"paragraph-236050\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-627\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> Whenever the <span class=\"dictionary\">Commissioner<\/span> has reason to believe that a <span class=\"dictionary\">licensee<\/span> has been or is engaged in conduct in the Commonwealth that violates this article, the <span class=\"dictionary\">Commissioner<\/span> may take action that is necessary or appropriate to enforce the provisions of this article. <a id=\"paragraph-236051\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-627\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> The <span class=\"dictionary\">Commission<\/span> may examine and investigate the affairs of any <span class=\"dictionary\"><span class=\"dictionary\">insurance<\/span>-support organization<\/span> that acts on behalf of an <span class=\"dictionary\">insurance<\/span> institution or agent as defined in &#xA7; <a class=\"law\" title=\"Definitions\" href=\"\/38.2-602\/\">38.2-602<\/a> and that either (i) transacts business in the Commonwealth or (ii) transacts business outside the Commonwealth and has an effect on a <span class=\"dictionary\">person<\/span> residing in the Commonwealth, in <span class=\"dictionary\">order<\/span> to determine whether the <span class=\"dictionary\"><span class=\"dictionary\">insurance<\/span>-support organization<\/span> has been or is engaged in any conduct in violation of this article. <a id=\"paragraph-236052\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-627\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> The <span class=\"dictionary\">Commission<\/span> shall adopt rules and regulations implementing the provisions of this article. <a id=\"paragraph-236053\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-627\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E\"><p><span class=\"prefix-number\">E.<\/span> This article and any rules adopted pursuant to this article establish the exclusive <span class=\"dictionary\">state<\/span> standards applicable to <span class=\"dictionary\">licensees<\/span> for data security, the security of <span class=\"dictionary\">nonpublic information<\/span>, the investigation of <span class=\"dictionary\">cybersecurity events<\/span>, and notification of <span class=\"dictionary\">cybersecurity events<\/span> for those individuals and entities subject to this article. <a id=\"paragraph-236054\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-627\/#E\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nPOWERS AND DUTIES OF THE COMMISSION; EXCLUSIVE STATE STANDARDS (\u00a7 38.2-627)\n\nA. The Commissioner may examine and investigate the affairs of any licensee to\ndetermine whether a licensee has been or is engaged in any conduct in violation\nof this article. This power is in addition to the powers that the Commissioner\nhas under Article 4 of Chapter 13 (38.2-1300 et seq.) and Chapter 18 (38.2-1800\net seq.). Any such investigation or examination shall be conducted pursuant to\nChapters 13 and 18.\n\nB. Whenever the Commissioner has reason to believe that a licensee has been or\nis engaged in conduct in the Commonwealth that violates this article, the\nCommissioner may take action that is necessary or appropriate to enforce the\nprovisions of this article.\n\nC. The Commission may examine and investigate the affairs of any\ninsurance-support organization that acts on behalf of an insurance institution\nor agent as defined in &#xA7; 38.2-602 and that either (i) transacts business in\nthe Commonwealth or (ii) transacts business outside the Commonwealth and has an\neffect on a person residing in the Commonwealth, in order to determine whether\nthe insurance-support organization has been or is engaged in any conduct in\nviolation of this article.\n\nD. The Commission shall adopt rules and regulations implementing the provisions\nof this article.\n\nE. This article and any rules adopted pursuant to this article establish the\nexclusive state standards applicable to licensees for data security, the\nsecurity of nonpublic information, the investigation of cybersecurity events,\nand notification of cybersecurity events for those individuals and entities\nsubject to this article.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}