<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>82527</law_id><section_number>38.2-625</section_number><catch_line>Notice to Commissioner</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><referred_to_by><reference>38.2-626</reference><reference>38.2-628</reference><reference>38.2-629</reference></referred_to_by><structure><unit label="title" level="1" order_by="1" identifier="38.2">Insurance</unit><unit label="chapter" level="2" order_by="1" identifier="6">Insurance Information and Privacy Protection</unit><unit label="article" level="3" order_by="1" identifier="2">Insurance Data Security Act</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> If a <span class="dictionary">licensee</span> has determined that a <span class="dictionary">cybersecurity event</span> has actually occurred, such <span class="dictionary">licensee</span> shall notify the <span class="dictionary">Commissioner</span>, in accordance with requirements prescribed by the <span class="dictionary">Commission</span>, as promptly as possible but in no event later than three business days from such determination if: <a id="paragraph-295654" class="section-permalink" href="https://vacode.org/38.2-625/#A"><i class="fa fa-link"/></a></p></section>
						<section id="A1" class="indent-1"><p><span class="prefix-number">1.</span> The <span class="dictionary">licensee</span> is a domestic <span class="dictionary">insurance company</span>, or in the case of a producer, the Commonwealth is the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">home state</span> and the <span class="dictionary">cybersecurity event</span> meets threshold and other requirements prescribed by the <span class="dictionary">Commission</span>; or <a id="paragraph-295655" class="section-permalink" href="https://vacode.org/38.2-625/#A1"><i class="fa fa-link"/></a></p></section>
						<section id="A2" class="indent-1"><p><span class="prefix-number">2.</span> The <span class="dictionary">licensee</span> reasonably believes that the <span class="dictionary">nonpublic information</span> involved is of 250 or more <span class="dictionary">consumers</span> residing in the Commonwealth or the <span class="dictionary">licensee</span> is required under federal <span class="dictionary">law</span> or the <span class="dictionary">laws</span> of another state to provide notice of the <span class="dictionary">cybersecurity event</span> to any government body, self-regulatory agency, or other supervisory body. <a id="paragraph-295656" class="section-permalink" href="https://vacode.org/38.2-625/#A2"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> Notice provided pursuant to this section shall be in electronic form and shall include as much of the following information as possible: <a id="paragraph-295657" class="section-permalink" href="https://vacode.org/38.2-625/#B"><i class="fa fa-link"/></a></p></section>
						<section id="B1" class="indent-1"><p><span class="prefix-number">1.</span> The date of the <span class="dictionary">cybersecurity event</span>; <a id="paragraph-295658" class="section-permalink" href="https://vacode.org/38.2-625/#B1"><i class="fa fa-link"/></a></p></section>
						<section id="B2" class="indent-1"><p><span class="prefix-number">2.</span> A description of how the <span class="dictionary">nonpublic information</span> was exposed, lost, stolen, or breached, including the specific roles and responsibilities of <span class="dictionary">third-<span class="dictionary">party</span> service providers</span>, if any; <a id="paragraph-295659" class="section-permalink" href="https://vacode.org/38.2-625/#B2"><i class="fa fa-link"/></a></p></section>
						<section id="B3" class="indent-1"><p><span class="prefix-number">3.</span> How the <span class="dictionary">cybersecurity event</span> was discovered; <a id="paragraph-295660" class="section-permalink" href="https://vacode.org/38.2-625/#B3"><i class="fa fa-link"/></a></p></section>
						<section id="B4" class="indent-1"><p><span class="prefix-number">4.</span> Whether any lost, stolen, or breached information has been recovered and, if so, how this was done; <a id="paragraph-295661" class="section-permalink" href="https://vacode.org/38.2-625/#B4"><i class="fa fa-link"/></a></p></section>
						<section id="B5" class="indent-1"><p><span class="prefix-number">5.</span> The identity of the source of the <span class="dictionary">cybersecurity event</span>; <a id="paragraph-295662" class="section-permalink" href="https://vacode.org/38.2-625/#B5"><i class="fa fa-link"/></a></p></section>
						<section id="B6" class="indent-1"><p><span class="prefix-number">6.</span> Whether the <span class="dictionary">licensee</span> has filed a police report or has notified any regulatory, government, or <span class="dictionary">law</span>-enforcement agencies and, if so, when such notification was provided; <a id="paragraph-295663" class="section-permalink" href="https://vacode.org/38.2-625/#B6"><i class="fa fa-link"/></a></p></section>
						<section id="B7" class="indent-1"><p><span class="prefix-number">7.</span> A description of the specific types of information acquired without authorization. Specific types of information include particular data elements such as medical information, financial information, or other information allowing identification of the <span class="dictionary">consumer</span>; <a id="paragraph-295664" class="section-permalink" href="https://vacode.org/38.2-625/#B7"><i class="fa fa-link"/></a></p></section>
						<section id="B8" class="indent-1"><p><span class="prefix-number">8.</span> The period during which the <span class="dictionary">information system</span> was compromised by the <span class="dictionary">cybersecurity event</span>; <a id="paragraph-295665" class="section-permalink" href="https://vacode.org/38.2-625/#B8"><i class="fa fa-link"/></a></p></section>
						<section id="B9" class="indent-1"><p><span class="prefix-number">9.</span> The number of <span class="dictionary">consumers</span> in the Commonwealth affected by the <span class="dictionary">cybersecurity event</span>. The <span class="dictionary">licensee</span> shall provide the best estimate in the initial report to the <span class="dictionary">Commissioner</span> and update this estimate with each subsequent report to the <span class="dictionary">Commissioner</span> pursuant to this section; <a id="paragraph-295666" class="section-permalink" href="https://vacode.org/38.2-625/#B9"><i class="fa fa-link"/></a></p></section>
						<section id="B10" class="indent-1"><p><span class="prefix-number">10.</span> The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; <a id="paragraph-295667" class="section-permalink" href="https://vacode.org/38.2-625/#B10"><i class="fa fa-link"/></a></p></section>
						<section id="B11" class="indent-1"><p><span class="prefix-number">11.</span> A description of efforts being undertaken to remediate the situation that permitted the <span class="dictionary">cybersecurity event</span> to occur; <a id="paragraph-295668" class="section-permalink" href="https://vacode.org/38.2-625/#B11"><i class="fa fa-link"/></a></p></section>
						<section id="B12" class="indent-1"><p><span class="prefix-number">12.</span> A copy of the <span class="dictionary">licensee</span>&#x2019;s <span class="dictionary">consumer</span> privacy policy and a statement outlining the steps the <span class="dictionary">licensee</span> will take to investigate and notify <span class="dictionary">consumers</span> affected by the <span class="dictionary">cybersecurity event</span>; and <a id="paragraph-295669" class="section-permalink" href="https://vacode.org/38.2-625/#B12"><i class="fa fa-link"/></a></p></section>
						<section id="B13" class="indent-1"><p><span class="prefix-number">13.</span> The name of a contact <span class="dictionary">person</span> who is both familiar with the <span class="dictionary">cybersecurity event</span> and authorized to act for the <span class="dictionary">licensee</span>. <a id="paragraph-295670" class="section-permalink" href="https://vacode.org/38.2-625/#B13"><i class="fa fa-link"/></a></p></section>
						<section id="C"><p><span class="prefix-number">C.</span> A <span class="dictionary">licensee</span> shall have a continuing obligation to update and supplement initial and subsequent notifications to the <span class="dictionary">Commissioner</span> concerning the <span class="dictionary">cybersecurity event</span>. <a id="paragraph-295671" class="section-permalink" href="https://vacode.org/38.2-625/#C"><i class="fa fa-link"/></a></p></section>
						<section id="D"><p><span class="prefix-number">D.</span> Each <span class="dictionary">licensee</span> shall notify <span class="dictionary">consumers</span> in compliance with &#xA7; <a class="law" title="Notice to consumers" href="/38.2-626/">38.2-626</a>, and provide a copy of the notice sent to <span class="dictionary">consumers</span> under such section to the <span class="dictionary">Commissioner</span>, when a <span class="dictionary">licensee</span> is required to notify the <span class="dictionary">Commissioner</span> under this section. <a id="paragraph-295672" class="section-permalink" href="https://vacode.org/38.2-625/#D"><i class="fa fa-link"/></a></p></section>
						<section id="E"><p><span class="prefix-number">E.</span> If there is a <span class="dictionary">cybersecurity event</span> in a system maintained by a <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>, the <span class="dictionary">licensee</span>, once it has become aware of such <span class="dictionary">cybersecurity event</span>, shall treat such event as it would under this section, unless the <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> provides notice in accordance with this section. The computation of a <span class="dictionary">licensee</span>&#x2019;s deadlines shall begin on the day after the <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> notifies a <span class="dictionary">licensee</span> of the <span class="dictionary">cybersecurity event</span> or the <span class="dictionary">licensee</span> otherwise has actual knowledge of the <span class="dictionary">cybersecurity event</span>, whichever is sooner. <a id="paragraph-295673" class="section-permalink" href="https://vacode.org/38.2-625/#E"><i class="fa fa-link"/></a></p></section>
						<section id="F"><p><span class="prefix-number">F.</span> If a <span class="dictionary">cybersecurity event</span> involves <span class="dictionary">nonpublic information</span> that is used by a <span class="dictionary">licensee</span> that is acting as an assuming <span class="dictionary">insurer</span> or is in the <span class="dictionary">possession</span>, control, or <span class="dictionary">custody</span> of a <span class="dictionary">licensee</span> that is acting as an assuming <span class="dictionary">insurer</span> or its <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> and the <span class="dictionary">licensee</span> does not have a direct contractual relationship with the affected <span class="dictionary">consumers</span>, the <span class="dictionary">licensee</span> shall notify its affected ceding <span class="dictionary">insurers</span> and the head of its supervisory state agency of its state of domicile within three business days of making the determination or receiving notice from its <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> that a <span class="dictionary">cybersecurity event</span> has occurred. Ceding <span class="dictionary">insurers</span> that have a direct contractual relationship with affected <span class="dictionary">consumers</span> shall fulfill the <span class="dictionary">consumer</span> notification requirements imposed under &#xA7; <a class="law" title="Notice to consumers" href="/38.2-626/">38.2-626</a> and any other notification requirements relating to a <span class="dictionary">cybersecurity event</span> imposed under this section. <a id="paragraph-295674" class="section-permalink" href="https://vacode.org/38.2-625/#F"><i class="fa fa-link"/></a></p></section>
						<section id="G"><p><span class="prefix-number">G.</span> If there is a <span class="dictionary">cybersecurity event</span> involving <span class="dictionary">nonpublic information</span> that is in the <span class="dictionary">possession</span>, <span class="dictionary">custody</span>, or control of a <span class="dictionary">licensee</span> that is an <span class="dictionary">insurer</span> or its <span class="dictionary">third-<span class="dictionary">party</span> service provider</span> and for which a <span class="dictionary">consumer</span> accessed the <span class="dictionary">insurer</span>&#x2019;s services through an independent insurance producer, the <span class="dictionary">insurer</span> shall notify the producers of record of all affected <span class="dictionary">consumers</span> as soon as practicable as directed by the <span class="dictionary">Commissioner</span>. The <span class="dictionary">insurer</span> is excused from this obligation for those instances in which it does not have the current producer of record information for any individual <span class="dictionary">consumer</span>. <a id="paragraph-295675" class="section-permalink" href="https://vacode.org/38.2-625/#G"><i class="fa fa-link"/></a></p></section>
						<section id="H"><p><span class="prefix-number">H.</span> Nothing in this article shall prevent or abrogate an agreement between a <span class="dictionary">licensee</span> and another <span class="dictionary">licensee</span>, a <span class="dictionary">third-<span class="dictionary">party</span> service provider</span>, or any other <span class="dictionary">party</span> to fulfill any of the investigation requirements imposed under &#xA7; <a class="law" title="Investigation of a cybersecurity event" href="/38.2-624/">38.2-624</a> or notice requirements imposed under this section. <a id="paragraph-295676" class="section-permalink" href="https://vacode.org/38.2-625/#H"><i class="fa fa-link"/></a></p></section></text><history>2020, c. 264.</history><metadata></metadata></law>
