What To Do in the First 24 Hours After a Data Breach in Virginia

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

---

The first hours after a data breach are among the most consequential for any business. Decisions made, or not made, in that window can determine the scope of harm to affected individuals, the cost of remediation, the adequacy of your legal response, and the trajectory of any regulatory investigation. For Virginia businesses, those decisions are also shaped by specific statutory obligations that impose real deadlines.

This article walks through what Virginia law requires and what experienced practitioners consider best practice in the critical first 24 hours.

Understanding Virginia’s Breach Notification Statute

Virginia Code § 18.2-186.6 is Virginia’s primary data breach notification statute. It requires that any entity that owns or licenses computerized data containing personal information of Virginia residents must notify affected residents when a breach of the security of the system occurs, if the breach causes or is reasonably believed to have caused identity theft or other financial injury.

Virginia law defines personal information as a first and last name, or first initial and last name, combined with any of the following data elements when either is not encrypted:

• Social Security number
• Driver’s license or state ID number
• Financial account number combined with a security code, access code, or password
• Medical or health insurance information
• Passport number

A breach of the security of the system means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.

The notification must be made in the most expedient time possible and without unreasonable delay, but in no event later than 60 days from the date of discovery. If the breach affects more than 1,000 Virginia residents, you must also provide written notice to the Attorney General no later than 60 days after discovery.

The First Hour: Contain, but Preserve

When a breach is discovered, the instinct is often to shut everything down and clean up as fast as possible. That instinct, while understandable, must be tempered by an equally important obligation: preserving evidence.

Forensic investigators working on breach cases regularly encounter situations where well-meaning IT staff have wiped compromised systems, overwritten logs, or restored from backup before investigators could capture what happened. When that occurs, it can be impossible to determine what data was accessed, how the attacker gained entry, and whether the incident is fully contained. It can also complicate insurance claims and regulatory responses.

In the first hour, the priority should be:

• Contain the active threat by isolating affected systems from the network where possible, without destroying them
• Preserve system images and logs before any remediation begins, either by taking forensic copies or by engaging a forensic firm to do so
• Document everything starting from the moment of discovery: who identified the issue, what was observed, what systems appear affected, and what actions have been taken

Engage Legal Counsel Early

One of the most important decisions you can make in the first 24 hours is to contact an attorney. This is not simply about having legal representation for what may follow. It is about attorney-client privilege.

Communications between a client and an attorney for the purpose of obtaining legal advice are generally privileged and not discoverable in subsequent litigation or regulatory investigations. When a breach response is directed by counsel, reports prepared by forensic investigators as part of that engagement, and communications about the investigation, may also be protected under the work product doctrine.

If your IT team or an outside forensics firm conducts an investigation independent of legal direction, the resulting reports are more likely to be discoverable. In subsequent litigation or regulatory proceedings, a detailed forensic report identifying every vulnerability and failure in your systems could become evidence against you.

Engaging legal counsel at the outset allows the attorney to retain the forensic firm under the attorney’s direction, which can significantly strengthen the argument for privilege protection over investigation materials.

The Forensics Team’s Role vs. Legal Counsel’s Role

Forensic investigators and legal counsel serve distinct but complementary functions in a breach response.

The forensics team is responsible for:

• Determining how the attacker accessed the network
• Identifying which systems and data were affected
• Containing the threat and removing malware or unauthorized access
• Preserving evidence for investigation and potential law enforcement referral

Legal counsel is responsible for:

• Advising on notification obligations under Virginia and federal law
• Directing the forensic investigation to preserve privilege
• Managing communications with regulators, insurers, and affected parties
• Advising on public statements to avoid creating additional liability
• Coordinating with cyber insurance carriers

These roles should not be merged. Your IT director or managed service provider has different expertise and different obligations than your attorney.

Notify Your Cyber Insurer

If your business has a cyber liability insurance policy, your policy almost certainly has a notification requirement. Most policies require that you notify the insurer within a short window of discovering a potential incident, often 24 to 72 hours. Failure to notify promptly can be grounds for denial of coverage.

Contact your cyber insurer or your broker as soon as you have reason to believe an incident has occurred. The insurer may have preferred vendors for forensics, breach notification services, and legal counsel, and using those vendors may be required for coverage or may reduce your costs.

Do not wait until you have confirmed the full scope of the breach before notifying your insurer. Notify upon reasonable belief that an incident has occurred and supplement that notice as more information becomes available.

Federal Sector-Specific Requirements

Depending on your industry, additional federal notification requirements may apply with shorter timelines than Virginia’s 60-day window.

HIPAA (the Health Insurance Portability and Accountability Act) requires covered entities and business associates to notify affected individuals without unreasonable delay and in no case later than 60 days following discovery of a breach of unsecured protected health information. For breaches affecting 500 or more residents of a state or jurisdiction, the covered entity must also notify prominent media outlets and the Secretary of Health and Human Services.

More significantly, the HIPAA Breach Notification Rule’s 60-day clock may not provide as much flexibility in practice as it appears. HHS guidance indicates that covered entities should conduct a thorough investigation and provide notification “as soon as possible” and that 60 days is an outer limit, not a safe harbor.

Payment Card Industry Data Security Standard (PCI-DSS) requirements applicable to businesses that process payment cards may require notification to card brands and acquiring banks within specific timeframes established in payment processing agreements, often 24 to 72 hours.

SEC-regulated entities are subject to cybersecurity disclosure rules requiring prompt reporting of material cybersecurity incidents under certain circumstances.

Be Careful with Public Communications

Businesses under pressure during a breach incident sometimes issue premature public statements that cause additional harm. Common mistakes include:

• Announcing the breach before the scope is understood, leading to subsequent corrections that look like cover-ups
• Making representations about what data was or was not affected before the forensic investigation is complete
• Characterizing the incident in ways that conflict with later regulatory findings
• Posting on social media in ways that appear to minimize the incident

All public communications related to a breach, including statements to employees, customers, the press, and on social media, should be reviewed by legal counsel before release. This is particularly important during the first 24 hours when the full picture is rarely known.

What to Do if You Are a Small Business

Small businesses in Christiansburg, Radford, and throughout the New River Valley may believe that breach response protocols are primarily a concern for large corporations. That perception is inaccurate. Small businesses are frequent targets precisely because they often have less mature security controls than larger organizations.

The steps above apply regardless of the size of your business. Even a small business that experiences unauthorized access to a file containing customer names and Social Security numbers must comply with Virginia’s breach notification statute.

For small businesses without dedicated IT security personnel, having an incident response plan and pre-established relationships with a forensics firm and legal counsel before an incident occurs dramatically improves outcomes. Scrambling to find qualified professionals during an active breach is both expensive and inefficient.

---

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.