M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Virginia Data Breach Laws: Fines and Notifications

Virginia data breach laws apply to any entity that stores the protected information (PI) of a VA resident. Businesses must notify customers about data breaches and report any breach affecting more than 1,000 Virginia residents to consumer reporting agencies. Regulatory fines can be issued for up to $150,000 per incident.

Name of Law / Statute


Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.

Who Is Subject to Law?

Any individual or entity "storing" PI of state residents

Notification of Consumers?


By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies

Substitute Notice Threshold?

If cost of notice >$50,000 or involves >100k residents

Notification of authorities / regulators required?

Yes if >1,000 affected

By what means?


Regulatory Fines

Up to $150k/breach

Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?

Direct economic damages

Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised) or redacted

Link to complete law

Virginia's data breach law

Read the full text of Virginia’s data breach law.

70% of businesses raise prices or cut hiring when sued