{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/38.2-629.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/38.2-629.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/38.2-629.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/38.2-629.html"}],"law_id":54030,"edition_id":1,"section_id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","history":"2020, c. 264.","full_text":"A\n\nThe following exceptions shall apply to this article:1\n\nA licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of &#xA7; 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of &#xA7;&#xA7; 38.2-624 and 38.2-626.2\n\nAn employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from &#xA7;&#xA7; 38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.3\n\nA licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to &#xA7;&#xA7; 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of &#xA7; 38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution&#8217;s adoption of an information security program that satisfies the Interagency Guidelines.B\n\nIf a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.","order_by":null,"text":{"0":{"id":198349,"text":"The following exceptions shall apply to this article:","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"A1"},"1":{"id":198350,"text":"A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of &#xA7; 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of &#xA7;&#xA7; 38.2-624 and 38.2-626.","type":"section","prefixes":["A","1"],"prefix":"1","entire_prefix":"A1","prefix_anchor":"A1","level":2,"prior_prefix":"A","next_prefix":"A2"},"2":{"id":198351,"text":"An employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from &#xA7;&#xA7; 38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.","type":"section","prefixes":["A","2"],"prefix":"2","entire_prefix":"A2","prefix_anchor":"A2","level":2,"prior_prefix":"A1","next_prefix":"A3"},"3":{"id":198352,"text":"A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to &#xA7;&#xA7; 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of &#xA7; 38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution&#8217;s adoption of an information security program that satisfies the Interagency Guidelines.","type":"section","prefixes":["A","3"],"prefix":"3","entire_prefix":"A3","prefix_anchor":"A3","level":2,"prior_prefix":"A2","next_prefix":"B"},"4":{"id":198353,"text":"If a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A3"}},"ancestry":[{"id":12923,"edition_id":1,"name":"Insurance Data Security Act","identifier":"2","label":"article","depth":3,"order_by":1,"parent_id":12922,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218125,"object_type":"structure","relational_id":12923,"identifier":"2","token":"38.2\/6\/2","url":"\/38.2\/6\/2\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12922,"edition_id":1,"name":"Insurance Information and Privacy Protection","identifier":"6","label":"chapter","depth":2,"order_by":1,"parent_id":12698,"metadata":{},"date_created":"2026-06-26 03:44:01","date_modified":"2026-06-26 03:44:01","permalink":{"id":218013,"object_type":"structure","relational_id":12922,"identifier":"6","token":"38.2\/6","url":"\/38.2\/6\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12698,"edition_id":1,"name":"Insurance","identifier":"38.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:49","date_modified":"2026-06-26 03:43:49","permalink":{"id":210661,"object_type":"structure","relational_id":12698,"identifier":"38.2","token":"38.2","url":"\/38.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":86014,"structure_id":12923,"section_number":"38.2-621","catch_line":"Definitions","url":"\/38.2-621\/","token":"38.2\/6\/2\/38.2-621","metadata":false},{"id":54858,"structure_id":12923,"section_number":"38.2-622","catch_line":"Private cause of action; neither created nor curtailed","url":"\/38.2-622\/","token":"38.2\/6\/2\/38.2-622","metadata":false},{"id":83071,"structure_id":12923,"section_number":"38.2-623","catch_line":"Information security program","url":"\/38.2-623\/","token":"38.2\/6\/2\/38.2-623","metadata":false},{"id":59652,"structure_id":12923,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","url":"\/38.2-624\/","token":"38.2\/6\/2\/38.2-624","metadata":false},{"id":82527,"structure_id":12923,"section_number":"38.2-625","catch_line":"Notice to Commissioner","url":"\/38.2-625\/","token":"38.2\/6\/2\/38.2-625","metadata":false},{"id":75700,"structure_id":12923,"section_number":"38.2-626","catch_line":"Notice to consumers","url":"\/38.2-626\/","token":"38.2\/6\/2\/38.2-626","metadata":false},{"id":64871,"structure_id":12923,"section_number":"38.2-627","catch_line":"Powers and duties of the Commission; exclusive state standards","url":"\/38.2-627\/","token":"38.2\/6\/2\/38.2-627","metadata":false},{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},{"id":54030,"structure_id":12923,"section_number":"38.2-629","catch_line":"Exceptions","url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","metadata":false}],"previous_section":{"id":57578,"structure_id":12923,"section_number":"38.2-628","catch_line":"Confidentiality","url":"\/38.2-628\/","token":"38.2\/6\/2\/38.2-628","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/38.2-629\/","history_text":"<p>This law was first created in 2020. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?201+ful+CHAP0264\">264<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year.<\/p>","references":[{"id":55347,"section_number":"38.2-4214","catch_line":"Application of certain provisions of law","order_by":null,"url":"\/38.2-4214\/"},{"id":67952,"section_number":"38.2-4319","catch_line":"Statutory construction and relationship to other laws","order_by":null,"url":"\/38.2-4319\/"},{"id":60078,"section_number":"38.2-4408","catch_line":"Application of certain provisions","order_by":null,"url":"\/38.2-4408\/"},{"id":62548,"section_number":"38.2-4509","catch_line":"Application of certain laws","order_by":null,"url":"\/38.2-4509\/"}],"refers_to":[{"id":83071,"section_number":"38.2-623","catch_line":"Information security program","order_by":null,"url":"\/38.2-623\/"},{"id":59652,"section_number":"38.2-624","catch_line":"Investigation of a cybersecurity event","order_by":null,"url":"\/38.2-624\/"},{"id":82527,"section_number":"38.2-625","catch_line":"Notice to Commissioner","order_by":null,"url":"\/38.2-625\/"},{"id":75700,"section_number":"38.2-626","catch_line":"Notice to consumers","order_by":null,"url":"\/38.2-626\/"}],"permalink":{"id":218159,"object_type":"law","relational_id":54030,"identifier":"38.2-629","token":"38.2\/6\/2\/38.2-629","url":"\/38.2-629\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/38.2-629\/","token":"38.2\/6\/2\/38.2-629","dublin_core":{"Title":"Exceptions","Type":"Text","Format":"text\/html","Identifier":"\u00a7 38.2-629","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> The following exceptions shall apply to this article: <a id=\"paragraph-198349\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-629\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> A <span class=\"dictionary\">licensee<\/span> subject to <span class=\"dictionary\">HIPAA<\/span> that has established and maintains an <span class=\"dictionary\">information security program<\/span> pursuant to such <span class=\"dictionary\">statutes<\/span>, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of &#xA7; <a class=\"law\" title=\"Information security program\" href=\"\/38.2-623\/\">38.2-623<\/a>, provided that <span class=\"dictionary\">licensee<\/span> is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect <span class=\"dictionary\">nonpublic information<\/span> not subject to <span class=\"dictionary\">HIPAA<\/span> in the same manner it protects information that is subject to <span class=\"dictionary\">HIPAA<\/span>, and any such <span class=\"dictionary\">licensee<\/span> that investigates a <span class=\"dictionary\">cybersecurity event<\/span> and notifies <span class=\"dictionary\">consumers<\/span> in accordance with <span class=\"dictionary\">HIPAA<\/span> and any <span class=\"dictionary\">HIPAA<\/span>-established rules, regulations, or procedures shall be considered compliant with the requirements of &#xA7;&#xA7; <a class=\"law\" title=\"Investigation of a cybersecurity event\" href=\"\/38.2-624\/\">38.2-624<\/a> and <a class=\"law\" title=\"Notice to consumers\" href=\"\/38.2-626\/\">38.2-626<\/a>. <a id=\"paragraph-198350\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-629\/#A1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> An employee, agent, representative or designee of a <span class=\"dictionary\">licensee<\/span>, who is also a <span class=\"dictionary\">licensee<\/span>, is exempt from &#xA7;&#xA7; <a class=\"law\" title=\"Information security program\" href=\"\/38.2-623\/\">38.2-623<\/a>, <a class=\"law\" title=\"Investigation of a cybersecurity event\" href=\"\/38.2-624\/\">38.2-624<\/a>, <a class=\"law\" title=\"Notice to Commissioner\" href=\"\/38.2-625\/\">38.2-625<\/a>, and <a class=\"law\" title=\"Notice to consumers\" href=\"\/38.2-626\/\">38.2-626<\/a> and need not develop its own <span class=\"dictionary\">information security program<\/span> or conduct an investigation of or provide notices to the <span class=\"dictionary\">Commissioner<\/span> and <span class=\"dictionary\">consumers<\/span> relating to a <span class=\"dictionary\">cybersecurity event<\/span>, to the extent that the employee, agent, representative, or designee is covered by the <span class=\"dictionary\">information security program<\/span>, investigation, and notification obligations of the other <span class=\"dictionary\">licensee<\/span>. <a id=\"paragraph-198351\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-629\/#A2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> A <span class=\"dictionary\">licensee<\/span> affiliated with a depository institution that maintains an <span class=\"dictionary\">information security program<\/span> in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to &#xA7;&#xA7; 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of &#xA7; <a class=\"law\" title=\"Information security program\" href=\"\/38.2-623\/\">38.2-623<\/a> and any rules, regulations, or procedures established thereunder, provided that the <span class=\"dictionary\">licensee<\/span> produces, upon request, documentation satisfactory to the <span class=\"dictionary\">Commissioner<\/span> that independently validates the affiliated depository institution&#8217;s adoption of an <span class=\"dictionary\">information security program<\/span> that satisfies the Interagency Guidelines. <a id=\"paragraph-198352\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-629\/#A3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> If a <span class=\"dictionary\">licensee<\/span> ceases to qualify for an exception, such <span class=\"dictionary\">licensee<\/span> shall have 180 days from the date it ceases to qualify to comply with this article. <a id=\"paragraph-198353\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/38.2-629\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nEXCEPTIONS (\u00a7 38.2-629)\n\nA. The following exceptions shall apply to this article:\n\n   1. A licensee subject to HIPAA that has established and maintains an\n   information security program pursuant to such statutes, rules, regulations, or\n   procedures established thereunder shall be considered to meet the requirements\n   of &#xA7; 38.2-623, provided that licensee is compliant with, and submits a\n   written statement certifying its compliance with, the same, and certifies that\n   it will protect nonpublic information not subject to HIPAA in the same manner\n   it protects information that is subject to HIPAA, and any such licensee that\n   investigates a cybersecurity event and notifies consumers in accordance with\n   HIPAA and any HIPAA-established rules, regulations, or procedures shall be\n   considered compliant with the requirements of &#xA7;&#xA7; 38.2-624 and\n   38.2-626.\n\n   2. An employee, agent, representative or designee of a licensee, who is also a\n   licensee, is exempt from &#xA7;&#xA7; 38.2-623, 38.2-624, 38.2-625, and\n   38.2-626 and need not develop its own information security program or conduct\n   an investigation of or provide notices to the Commissioner and consumers\n   relating to a cybersecurity event, to the extent that the employee, agent,\n   representative, or designee is covered by the information security program,\n   investigation, and notification obligations of the other licensee.\n\n   3. A licensee affiliated with a depository institution that maintains an\n   information security program in compliance with the Interagency Guidelines\n   Establishing Standards for Safeguarding Customer Information (Interagency\n   Guidelines) as set forth pursuant to &#xA7;&#xA7; 501 and 505 of the federal\n   Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the\n   requirements of &#xA7; 38.2-623 and any rules, regulations, or procedures\n   established thereunder, provided that the licensee produces, upon request,\n   documentation satisfactory to the Commissioner that independently validates\n   the affiliated depository institution&#8217;s adoption of an information\n   security program that satisfies the Interagency Guidelines.\n\nB. If a licensee ceases to qualify for an exception, such licensee shall have\n180 days from the date it ceases to qualify to comply with this article.\n\nHISTORY: 2020, c. 264.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}