<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>54030</law_id><section_number>38.2-629</section_number><catch_line>Exceptions</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><referred_to_by><reference>38.2-4214</reference><reference>38.2-4319</reference><reference>38.2-4408</reference><reference>38.2-4509</reference></referred_to_by><structure><unit label="title" level="1" order_by="1" identifier="38.2">Insurance</unit><unit label="chapter" level="2" order_by="1" identifier="6">Insurance Information and Privacy Protection</unit><unit label="article" level="3" order_by="1" identifier="2">Insurance Data Security Act</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> The following exceptions shall apply to this article: <a id="paragraph-198349" class="section-permalink" href="https://vacode.org/38.2-629/#A"><i class="fa fa-link"/></a></p></section>
						<section id="A1" class="indent-1"><p><span class="prefix-number">1.</span> A <span class="dictionary">licensee</span> subject to <span class="dictionary">HIPAA</span> that has established and maintains an <span class="dictionary">information security program</span> pursuant to such <span class="dictionary">statutes</span>, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of &#xA7; <a class="law" title="Information security program" href="/38.2-623/">38.2-623</a>, provided that <span class="dictionary">licensee</span> is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect <span class="dictionary">nonpublic information</span> not subject to <span class="dictionary">HIPAA</span> in the same manner it protects information that is subject to <span class="dictionary">HIPAA</span>, and any such <span class="dictionary">licensee</span> that investigates a <span class="dictionary">cybersecurity event</span> and notifies <span class="dictionary">consumers</span> in accordance with <span class="dictionary">HIPAA</span> and any <span class="dictionary">HIPAA</span>-established rules, regulations, or procedures shall be considered compliant with the requirements of &#xA7;&#xA7; <a class="law" title="Investigation of a cybersecurity event" href="/38.2-624/">38.2-624</a> and <a class="law" title="Notice to consumers" href="/38.2-626/">38.2-626</a>. <a id="paragraph-198350" class="section-permalink" href="https://vacode.org/38.2-629/#A1"><i class="fa fa-link"/></a></p></section>
						<section id="A2" class="indent-1"><p><span class="prefix-number">2.</span> An employee, agent, representative or designee of a <span class="dictionary">licensee</span>, who is also a <span class="dictionary">licensee</span>, is exempt from &#xA7;&#xA7; <a class="law" title="Information security program" href="/38.2-623/">38.2-623</a>, <a class="law" title="Investigation of a cybersecurity event" href="/38.2-624/">38.2-624</a>, <a class="law" title="Notice to Commissioner" href="/38.2-625/">38.2-625</a>, and <a class="law" title="Notice to consumers" href="/38.2-626/">38.2-626</a> and need not develop its own <span class="dictionary">information security program</span> or conduct an investigation of or provide notices to the <span class="dictionary">Commissioner</span> and <span class="dictionary">consumers</span> relating to a <span class="dictionary">cybersecurity event</span>, to the extent that the employee, agent, representative, or designee is covered by the <span class="dictionary">information security program</span>, investigation, and notification obligations of the other <span class="dictionary">licensee</span>. <a id="paragraph-198351" class="section-permalink" href="https://vacode.org/38.2-629/#A2"><i class="fa fa-link"/></a></p></section>
						<section id="A3" class="indent-1"><p><span class="prefix-number">3.</span> A <span class="dictionary">licensee</span> affiliated with a depository institution that maintains an <span class="dictionary">information security program</span> in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to &#xA7;&#xA7; 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of &#xA7; <a class="law" title="Information security program" href="/38.2-623/">38.2-623</a> and any rules, regulations, or procedures established thereunder, provided that the <span class="dictionary">licensee</span> produces, upon request, documentation satisfactory to the <span class="dictionary">Commissioner</span> that independently validates the affiliated depository institution&#x2019;s adoption of an <span class="dictionary">information security program</span> that satisfies the Interagency Guidelines. <a id="paragraph-198352" class="section-permalink" href="https://vacode.org/38.2-629/#A3"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> If a <span class="dictionary">licensee</span> ceases to qualify for an exception, such <span class="dictionary">licensee</span> shall have 180 days from the date it ceases to qualify to comply with this article. <a id="paragraph-198353" class="section-permalink" href="https://vacode.org/38.2-629/#B"><i class="fa fa-link"/></a></p></section></text><history>2020, c. 264.</history><metadata></metadata></law>
