Data breaches have become a growing concern for Virginia businesses because of the severe legal and fiscal consequences they impart, in addition to the enhanced precision of the hackers performing the breach.
A data breach is the unlawful acquisition of personal information that puts the security, confidentiality, or integrity of an individual in jeopardy.
Personal information is typically defined as one’s first and last name, Social Security number, driver’s license or state-issued ID card number, account number, and credit or debit card number. It can also include a person’s medical history, physical characteristics, email address and password, or tax ID number. [1]
In 2023, the Commonwealth instituted the VCDPA (Virginia Consumer Data Protection Act), bringing additional data protections to the citizens of Virginia—and additional responsibilities for businesses that fail to protect their data—to help combat the severity of these increased breaches
Data breaches can also put companies at a competitive disadvantage by effectively lowering their credit ratings and reputation and heightening their cyber insurance premiums, often leading to immediate and long-term financial losses. [2]
When a data breach happens, it usually results in reputational damage and significant financial costs, including notification expenses, legal fees, and potential class-action lawsuits. [3]
Legal Framework for Data Breach Liability in Virginia
Liability for a data breach is upheld at both the state and federal levels, providing a set of standards that businesses must adhere to.
Virginia-Specific Data Breach Laws
If a business or government entity has personal data of Virginia residents compromised in a breach, the Virginia Data Breach Notification Law requires them to notify individuals within 45 days; failure to do so can lead to legal actions and civil penalties. The notification must include details about the breach, types of data affected, steps individuals should take to protect themselves, and contact information for the party responsible.
However, exemptions apply if the data is encrypted or if law enforcement delays the notification. For breaches involving sensitive data like Social Security numbers, free credit monitoring may be required. [3]
Federal Laws Impacting Virginia Businesses
There are multiple laws at the federal level that influence businesses, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and other industry-specific regulations.
Where the federal HIPAA ruling requires healthcare entities to protect individuals’ personal health information, the GLBA statute was established in 1999 to ensure financial institutions explain their information-sharing practices to customers and safeguard their sensitive data. [4]
The Federal Trade Commission (FTC), which has administrative responsibilities under more than 70 laws, enforces federal consumer protection regulations to prevent fraud and promote competition. These rulings work to combat internet scams and price-fixing schemes, helping to preserve fair commerce. [5]
The Computer Fraud and Abuse Act (CFAA) was enacted in 1986 to address hacking, prohibiting intentional access of a computer without permission. It was most recently updated to expand the scope, broadening the definition of what constitutes a protected computer to include those used in or affecting interstate or foreign commerce or communication. The CFAA provides businesses whose data has been breached with a course of action through prosecution. [6]
How Liability for a Data Breach is Determined
To verify who is responsible for a data breach, it must first be determined if negligence was found.
Negligence is defined as the failure to exercise the proper degree of care expected by a reasonable person in a given situation. Under Virginia negligence laws, the “pure contributory negligence rule” still applies. This means that for a Virginia resident to receive compensation for damages from a data breach, the business responsible must be found 100 percent at fault. [7]
There are multiple factors considered when assessing liability, including:
- Did the business take reasonable cybersecurity measures?
- Was the breach caused by an employee, vendor, or cybercriminals?
- Did the company comply with notification laws?
Legal and Financial Risks for Virginia Businesses
Virginia businesses that experience data breaches or cybersecurity hacks face consequences if relevant information is not shared with their users or customers who have been impacted. Examples of these are as follows:
- Regulatory Fines & Lawsuits
- Civil penalties for failure to report or mitigate a breach
- Class-action lawsuits from consumers or employees
- Potential criminal charges in cases of gross negligence
- Reputational & Operational Costs
- Loss of consumer trust and business disruption
- Cost of forensic investigations, public relations, and legal defense
- Ransomware attacks and extortion risks
How Virginia Businesses Can Reduce Data Breach Risks
There are a few ways Virginia businesses can help prevent data breaches from occurring and reduce their liability if a data breach occurs at their organization.
Implement Cybersecurity Best Practices
Following best practices for cybersecurity at your organization is non-negotiable from an ethical and legal standpoint. CISA, the Cybersecurity and Infrastructure Security Agency, is a U.S. federal agency with the Department of Homeland Security and is one of many official organizations that provide guidelines on cybersecurity best practices.
These best practices include things like conducting regular cybersecurity audits and employee training, using MFA (Multi-factor authentication) and encryption where possible, and creating incident response plans.
Contractual Protections and Vendor Liability Clauses
Third-party security audits are one of the best ways to proactively mitigate your risk, and therefore liability, of a data breach. These audits not only identify vulnerabilities in your in-house cybersecurity program, but also hold accountable any third-party vendors to whom you’ve outsourced operations.
In addition to regularly auditing your third-party vendors, contractual indemnities such as vendor liability clauses should be used in these partnerships. Including these would mean that if your vendor experiences a data breach that affects your customers, the vendor is legally responsible to cover specified losses to your organization.
Insurance for Cyber Liability and Data Breaches
Since cyberattacks, data breaches, and other technology-related incidents have proven to be costly to businesses, cyber insurance is now a commonplace addition to business insurance policies for large organizations. Also known as cyber liability or data breach insurance, this coverage can help a business recover from losses related to cyber incidents including fines, legal fees, recovering lost data, and notifying and restoring personal identities of customers.
Protect Your Customers and Organization
The Cybersecurity group at ThompsonMcMullan consists of attorneys with expertise in assisting clients in navigating the data privacy landscape through policy creation, incident response and remediation, and compliance practices. We work with clients throughout the full lifecycle of a breach: policy development and implementation, representation during investigations and litigation, risk management, responding to a breach, drafts of notices, and more.
Our dedicated attorneys are more than happy to answer any of your questions, so contact us today!
References:
