<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>64751</law_id><section_number>59.1-552</section_number><catch_line>Establishment of liability; limitation of liability</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><structure><unit label="title" level="1" order_by="1" identifier="59.1">Trade and Commerce</unit><unit label="chapter" level="2" order_by="1" identifier="50">Electronic Identity Management Act</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> An <span class="dictionary"><span class="dictionary">identity trust framework</span> operator</span>, <span class="dictionary">identity provider</span>, <span class="dictionary">federation administrator</span>, or <span class="dictionary">federation operator</span> shall be liable if the issuance of an <span class="dictionary">identity credential</span> or assignment of an <span class="dictionary">identity attribute</span>, or a <span class="dictionary">trustmark</span>, is not in compliance with the Commonwealth&#x2019;s identity management standards in place at the time of issuance. Further, the <span class="dictionary"><span class="dictionary">identity trust framework</span> operator</span> or <span class="dictionary">identity provider</span> shall be liable for noncompliance with applicable terms of any contractual agreement with a contracting <span class="dictionary">party</span> and any written rules and policies of the <span class="dictionary">identity trust framework</span> or federation of which it is a member. <a id="paragraph-235622" class="section-permalink" href="https://vacode.org/59.1-552/#A"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> An <span class="dictionary"><span class="dictionary">identity trust framework</span> operator</span>, <span class="dictionary">identity provider</span>, <span class="dictionary">federation administrator</span>, or <span class="dictionary">federation operator</span> shall not be liable if the issuance of the identity credential or assignment of an <span class="dictionary">identity attribute</span> or a <span class="dictionary">trustmark</span> was in compliance with (i) the Commonwealth&#x2019;s identity management standards in place at the time of issuance or assignment, (ii) applicable terms of any contractual agreement with a contracting <span class="dictionary">party</span>, and (iii) any written rules and policies of the <span class="dictionary">identity trust framework</span> or federation of which it is a member, provided such <span class="dictionary"><span class="dictionary">identity trust framework</span> operator</span> or <span class="dictionary">identity provider</span> did not commit an act or omission that constitutes gross <span class="dictionary">negligence</span> or willful misconduct. An <span class="dictionary"><span class="dictionary">identity trust framework</span> operator</span> or <span class="dictionary">identity provider</span> shall not be liable for misuse of an identity credential by the <span class="dictionary">identity credential holder</span> or by any other person who misuses an identity credential. <a id="paragraph-235623" class="section-permalink" href="https://vacode.org/59.1-552/#B"><i class="fa fa-link"/></a></p></section></text><history>2015, cc. 482, 483; 2020, c. 736.</history><metadata></metadata></law>
