Virginia Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Virginia's data breach notification law, Va. Code 18.2-186.6, has been in effect since 2008 and was significantly amended in 2019 to expand the definition of personal information and add the requirement to notify the Attorney General. The law is codified within the state's criminal code (Title 18.2, Crimes Involving Fraud), reflecting Virginia's approach of treating data breach notification as a consumer protection issue with both civil and regulatory enforcement mechanisms.

Virginia stands out for requiring Attorney General notification for all breaches (not just those exceeding a threshold), granting individuals a private right of action for direct economic damages, and maintaining a separate statute for medical information breaches.

This guide covers the full scope of Virginia's breach notification requirements, including how they connect to the broader [Virginia data privacy laws](/us-laws/data-privacy-laws/virginia-data-privacy-laws) framework, which also includes the Virginia Consumer Data Protection Act (VCDPA).

Who Must Comply

Virginia's law applies to any individual or entity that owns or licenses computerized data that includes personal information of Virginia residents. The law applies regardless of where the entity is located, as long as it holds data belonging to Virginia residents.

Third-Party Data Holders

An individual or entity that maintains computerized data that it does not own or license must notify the data owner or licensee of any breach without unreasonable delay following discovery. The data owner then carries the primary obligation to notify affected residents and the Attorney General.

Exemptions

Several categories of entities have separate enforcement channels:

• State-chartered or licensed financial institutions: Violations are enforceable exclusively by the institution's primary state regulator, not through the general enforcement provisions
• Insurance-regulated entities: The State Corporation Commission (Bureau of Insurance) handles enforcement
• Entities subject to GLBA: Entities that maintain procedures for addressing breaches under the Gramm-Leach-Bliley Act and applicable federal regulators are deemed in compliance, as long as they notify affected Virginia residents in accordance with those procedures

What Triggers Notification

Under Section 18.2-186.6, a "breach of the security of the system" means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by the individual or entity.

Notification is required when unencrypted or unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, and the breach causes, or the entity reasonably believes has caused or will cause, identity theft or another fraud to any Virginia resident.

This is a two-step trigger:

1. Unauthorized access AND acquisition of unencrypted/unredacted personal information
2. Reasonable belief that the breach has caused or will cause identity theft or fraud

Both elements must be present. Unauthorized access alone, without acquisition, does not trigger the obligation. And acquisition without a reasonable belief of potential identity theft or fraud may not require notification.

Encryption Safe Harbor

Virginia defines "encrypted" as the transformation of data through an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. If personal information was encrypted at the time of the breach and the encryption key was not compromised, notification is not required.

Redaction Safe Harbor

Virginia also provides a safe harbor for redacted data. Data is considered "redacted" if no more than the last four digits of a driver's license number, state ID number, SSN, or financial account number is visible. Up to five digits of the SSN may be displayed if they are not the last four digits.

Personal Information That Triggers the Law

Under Section 18.2-186.6, personal information means the first name or first initial and last name of any Virginia resident, in combination with any one or more of the following unencrypted or unredacted data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the resident's financial account
• Passport number
• Military identification number

The 2019 amendment (HB 2396) added passport numbers and military identification numbers to the list, expanding Virginia's definition beyond the original three categories.

What Virginia's Law Does Not Cover

The definition does not include:

• Medical or health information (covered under a separate statute)
• Health insurance identification numbers
• Biometric data
• Email credentials
• Taxpayer identification numbers (other than SSNs)

Personal information does not include publicly available information lawfully made available to the general public from federal, state, or local government records.

Notification Timeline

Virginia requires notification "without unreasonable delay" following discovery or notification of the breach. There is no fixed-day deadline.

The notice may be reasonably delayed to:

• Determine the scope of the breach and restore the reasonable integrity of the system
• Comply with law enforcement requests if notification would impede a criminal investigation or jeopardize national or homeland security

Once the scope is determined and law enforcement clears notification, it must proceed without unreasonable delay.

Who Must Be Notified

Attorney General (All Breaches)

Virginia requires notification to the Office of the Attorney General for all breaches of personal information affecting Virginia residents. This is notable because many states only require AG notification above a threshold (such as 500 or 1,000 residents). Virginia requires it for every reportable breach.

Affected Individuals

Every Virginia resident whose personal information was, or is reasonably believed to have been, compromised must receive notification.

Consumer Reporting Agencies (1,000+ Threshold)

When an entity notifies more than 1,000 persons at one time, it must also notify, without unreasonable delay, all nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) of the timing, distribution, and content of the consumer notices.

Required Content of the Notification

Virginia specifies what the notification must include:

1. A description of the incident in general terms
2. The type of personal information that was subject to the unauthorized access and acquisition
3. The general acts of the entity to protect the personal information from further unauthorized access
4. A telephone number for the entity that the individual may call for further information and assistance
5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports

Methods of Notification

Virginia permits several notification methods:

• Written notice sent to the individual
• Telephone notice to the individual
• Electronic notice, if consistent with federal electronic records and signatures provisions
• Substitute notice, when the cost of providing individual notice exceeds $50,000, the affected class exceeds 100,000 persons, or the entity does not have sufficient contact information. Substitute notice requires all three of: email notice to available addresses, conspicuous posting on the entity's website, and notification to major statewide media.

Virginia's substitute notice thresholds are lower than many states ($50,000 cost and 100,000 persons, compared to the more common $250,000 and 500,000).

Penalties and Enforcement

Civil Penalties

The Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system, or a series of breaches of a similar nature that are discovered in a single investigation.

This cap applies per breach event, not per individual. A single breach affecting thousands of individuals is subject to a maximum $150,000 penalty from the AG.

Private Right of Action for Direct Economic Damages

Virginia explicitly preserves individuals' rights to pursue legal action. The statute states that nothing in the section shall limit an individual from recovering direct economic damages from a violation.

This means individuals can sue entities that fail to provide proper notification and recover their provable financial losses. Courts have interpreted this as creating a private right of action for monetary relief, and plaintiffs have brought both individual and class action lawsuits under this provision.

The limitation to "direct economic damages" means individuals must demonstrate actual financial losses. Non-economic damages such as emotional distress or time spent monitoring credit are generally not recoverable under this specific statute.

Financial Institution Enforcement

Violations by state-chartered or licensed financial institutions are enforceable exclusively by the institution's primary state regulator. Individuals cannot bring private actions against these entities under this statute.

Separate Medical Information Breach Statute

Virginia maintains a separate breach notification statute for medical information. Va. Code 32.1-127.1:05 applies to entities that own or possess medical records and requires notification when medical information is breached. This is a distinct obligation from the general personal information breach notification under 18.2-186.6.

Connection to the Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, is a comprehensive consumer privacy law that governs how businesses collect and use personal data. VCDPA does not include its own breach notification requirements. Businesses subject to VCDPA must still comply with the breach notification obligations under 18.2-186.6 when a qualifying breach occurs.

More Virginia Laws

• Virginia Recording Laws
• Virginia Whistleblower Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Recording Laws
• Virginia Recording Laws
• Virginia Recording Laws

Sources and References

This article draws from the following official Virginia government sources:

• Va. Code 18.2-186.6 (Breach of Personal Information Notification) - Full text of Virginia's data breach notification statute
• Va. Code 32.1-127.1:05 (Breach of Medical Information Notification) - Separate medical information breach notification statute
• Virginia Attorney General: Consumer Protection - AG office and breach reporting
• HB 2396 (2019) - 2019 amendment adding passport and military ID numbers and AG notification

This article provides general legal information about Virginia data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Virginia for guidance specific to your situation.