Data Breaches

When a Data Breach Occurs

A data breach, whether caused by a cyberattack, employee error, lost device, or vendor failure, can trigger time-sensitive legal obligations that begin to run immediately. How a business responds in the hours and days following an incident can significantly affect its legal exposure, regulatory standing, and relationships with customers and partners.

Valley Legal provides legal counsel to businesses in Christiansburg, Blacksburg, and throughout the New River Valley of Virginia on data breach response and notification obligations.

Virginia's Data Breach Notification Law

Virginia Code § 18.2-186.6 requires any entity that owns or licenses computerized data containing personal information of Virginia residents to notify affected individuals, and in some cases the Virginia Attorney General, when a breach of the security of that data occurs.

What Triggers Notification

Notification is required when there has been unauthorized access to and acquisition of unencrypted and unredacted computerized data that reasonably causes or the entity reasonably believes has caused or will cause identity theft or other fraud to Virginia residents. The analysis of whether a breach triggers notification requires careful review of what data was involved and the circumstances of the unauthorized access.

Notification Timing

Virginia law requires notification "in the most expedient time possible" and "without unreasonable delay." Unlike some states, Virginia does not specify a fixed number of days, but businesses should not interpret this as an invitation for extended delay. Courts and regulators expect prompt action.

Notification to the Attorney General

When a breach affects more than 1,000 Virginia residents, the business must also notify the Virginia Attorney General. The notification must include the types of personal information compromised, the number of affected residents, and the steps taken to investigate and address the breach.

Federal and Contractual Notification Obligations

Depending on the type of data involved and your industry, federal notification obligations may also apply:

• HIPAA. Breaches of protected health information require notification to affected individuals, HHS, and, for large breaches, the media, within 60 days of discovery.
• GLBA. Financial institutions must notify customers and the FTC under specific breach notification rules.
• Contractual obligations. Vendor, customer, and partner agreements often require notification within a specific timeframe, sometimes 24 to 72 hours.
• PCI DSS. Merchants and service providers that accept payment cards must notify their acquiring bank and card brands when cardholder data is compromised.

Immediate Steps After a Breach

The legal decisions made in the first 24–72 hours of a breach response matter enormously. Engaging legal counsel early, before making public statements, notifying regulators, or communicating with affected parties, helps ensure your response is legally sound and that attorney-client privilege is properly preserved over your investigation.

How We Can Help

• Advising on whether a security incident triggers notification obligations under Virginia law or applicable federal law
• Assisting with notification letters to affected individuals and government regulators
• Helping coordinate legal response with technical investigators and forensic vendors
• Advising on regulatory inquiries from the Virginia Attorney General or federal agencies
• Reviewing and advising on contractual notification obligations to vendors and partners
• Advising on breach-related litigation risk and legal exposure