                                 CODE OF VIRGINIA

NOTICE TO CONSUMERS (§ 38.2-626)

A. A licensee that maintains consumers&#8217; nonpublic information shall notify
the consumer of any cybersecurity event without unreasonable delay after making
a determination or receiving notice the cybersecurity event has occurred, if
consumers&#8217; nonpublic information was accessed and acquired by an
unauthorized person or such licensee reasonably believes consumers&#8217;
nonpublic information was accessed and acquired by an unauthorized person and
the cybersecurity event has a reasonable likelihood of causing or has caused
identity theft or other fraud to such consumers. Such notice shall include a
description of the following:

   1. The incident in general terms;

   2. The type of nonpublic information that was subject to the unauthorized
   access and acquisition;

   3. The general acts of the licensee to protect the consumer&#8217;s nonpublic
   information from further unauthorized access;

   4. A telephone number that the consumer may call for further information and
   assistance, if one exists; and

   5. Advice that directs the consumer to remain vigilant by reviewing account
   statements and monitoring the consumer&#8217;s credit reports.

B. Notice to consumers under this section shall be given as written notice to
the last known postal address in the records of the licensee, telephone notice,
or electronic notice. However, if the licensee required to provide notice
demonstrates that the cost of providing notice will exceed $50,000, the affected
class of consumers to be notified exceeds 100,000 consumers, or the licensee
does not have sufficient contact information or consent to provide notice,
substitute notice may be provided. Substitute notice shall consist of (i) e-mail
notice if the licensee has e-mail addresses for the members of the affected
class of consumers; (ii) conspicuous posting of the notice on the website of the
licensee if the licensee maintains a website; and (iii) notice to major
statewide media.

C. In the event that a licensee provides notice to more than 1,000 consumers at
one time pursuant to this section, the licensee shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nationwide basis, as defined in 15 U.S.C. &#xA7; 1681a
(p), of the timing, distribution, and content of the notice.

D. Notice required by this section shall not be considered a debt communication
as defined by the Fair Debt Collection Practices Act in 15 U.S.C. &#xA7; 1692a.

E. Notice required by this section and &#xA7; 38.2-625 may be delayed if, after
the person notifies a law-enforcement agency, the law-enforcement agency
determines and advises the person that the notice will impede a criminal or
civil investigation or jeopardize national or homeland security. Notice shall be
made without unreasonable delay after the law-enforcement agency determines that
the notification will no longer impede the investigation or jeopardize national
or homeland security.

F. If there is a cybersecurity event in a system maintained by a third-party
service provider, the licensee, once it has become aware of such cybersecurity
event, shall treat such event as it would under this section, unless the
third-party service provider provides notice in accordance with this section.
The computation of a licensee&#8217;s deadlines shall begin on the day after the
third-party service provider notifies a licensee of the cybersecurity event or
the licensee otherwise has actual knowledge of the cybersecurity event,
whichever is sooner.

HISTORY: 2020, c. 264.