|June 9, 2014|
Previously published on June 2014
Imagine that your laptop is stolen. Since you conduct all your business on it, you struggle to remember the last time you backed up your data, and agonize at the prospect of rebuilding weeks, months, and possibly years of files. As you contemplate the recovery of your business data, you should also think about whether your laptop stored personal information of employees or clients. If so, you may have to notify them of the theft.
Virginia, like almost all states, has enacted legislation requiring persons or entities to notify impacted parties of a “breach of the security of [a] system.” Such a breach occurs where there is “unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals,” and which causes (or is reasonably believed to have caused) identity theft or fraud to a Virginia resident. “Personal information” is a Virginia resident’s “first name or first initial and last name in combination with and linked to” that resident’s social security number, driver’s license number or state ID card number, or financial data, where those data elements are neither redacted nor encrypted.
So if you determine that the stolen laptop has resulted in the breach of the security of a system, what are the next steps you should take? Part II of the Primer on Virginia's Data Breach Law will provide some guidance.