<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>59652</law_id><section_number>38.2-624</section_number><catch_line>Investigation of a cybersecurity event</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><referred_to_by><reference>38.2-625</reference><reference>38.2-629</reference></referred_to_by><structure><unit label="title" level="1" order_by="1" identifier="38.2">Insurance</unit><unit label="chapter" level="2" order_by="1" identifier="6">Insurance Information and Privacy Protection</unit><unit label="article" level="3" order_by="1" identifier="2">Insurance Data Security Act</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> If a <span class="dictionary">licensee</span> learns that a <span class="dictionary">cybersecurity event</span> has or may have occurred, the <span class="dictionary">licensee</span> or an investigator shall conduct a prompt investigation. <a id="paragraph-218463" class="section-permalink" href="https://vacode.org/38.2-624/#A"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> During the investigation, the <span class="dictionary">licensee</span> or an investigator shall, at a minimum, determine as much of the following information as possible: <a id="paragraph-218464" class="section-permalink" href="https://vacode.org/38.2-624/#B"><i class="fa fa-link"/></a></p></section>
						<section id="B1" class="indent-1"><p><span class="prefix-number">1.</span> Determine whether a <span class="dictionary">cybersecurity event</span> has occurred; <a id="paragraph-218465" class="section-permalink" href="https://vacode.org/38.2-624/#B1"><i class="fa fa-link"/></a></p></section>
						<section id="B2" class="indent-1"><p><span class="prefix-number">2.</span> Assess the nature and scope of the <span class="dictionary">cybersecurity event</span>; <a id="paragraph-218466" class="section-permalink" href="https://vacode.org/38.2-624/#B2"><i class="fa fa-link"/></a></p></section>
						<section id="B3" class="indent-1"><p><span class="prefix-number">3.</span> Identify any <span class="dictionary">nonpublic information</span> that may have been involved in the <span class="dictionary">cybersecurity event</span>; and <a id="paragraph-218467" class="section-permalink" href="https://vacode.org/38.2-624/#B3"><i class="fa fa-link"/></a></p></section>
						<section id="B4" class="indent-1"><p><span class="prefix-number">4.</span> Perform or oversee reasonable measures to restore the security of the <span class="dictionary">information systems</span> compromised in the <span class="dictionary">cybersecurity event</span> in <span class="dictionary">order</span> to prevent further unauthorized acquisition, release, or use of <span class="dictionary">nonpublic information</span> in the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">possession</span>, <span class="dictionary">custody</span>, or control. <a id="paragraph-218468" class="section-permalink" href="https://vacode.org/38.2-624/#B4"><i class="fa fa-link"/></a></p></section>
						<section id="C"><p><span class="prefix-number">C.</span> If a <span class="dictionary">licensee</span> learns that a <span class="dictionary">cybersecurity event</span> has or may have occurred in a system maintained by a <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>, the <span class="dictionary">licensee</span> will complete the steps listed in subsection B or make reasonable efforts to confirm and document that the <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> has completed those steps. <a id="paragraph-218469" class="section-permalink" href="https://vacode.org/38.2-624/#C"><i class="fa fa-link"/></a></p></section>
						<section id="D"><p><span class="prefix-number">D.</span> Each <span class="dictionary">licensee</span> shall maintain records concerning all <span class="dictionary">cybersecurity events</span> for a period of at least five years from the date of the <span class="dictionary">cybersecurity event</span> and shall produce those records upon demand of the <span class="dictionary">Commissioner</span>. <a id="paragraph-218470" class="section-permalink" href="https://vacode.org/38.2-624/#D"><i class="fa fa-link"/></a></p></section></text><history>2020, c. 264.</history><metadata></metadata></law>
