SECTION 38.2-626. Notice to consumers  

A. A licensee that maintains consumers' nonpublic information shall notify the consumer of any cybersecurity event without unreasonable delay after making a determination or receiving notice the cybersecurity event has occurred, if consumers' nonpublic information was accessed and acquired by an unauthorized person or such licensee reasonably believes consumers' nonpublic information was accessed and acquired by an unauthorized person and the cybersecurity event has a reasonable likelihood of causing or has caused identity theft or other fraud to such consumers. Such notice shall include a description of the following:

1. The incident in general terms;

2. The type of nonpublic information that was subject to the unauthorized access and acquisition;

3. The general acts of the licensee to protect the consumer's nonpublic information from further unauthorized access;

4. A telephone number that the consumer may call for further information and assistance, if one exists; and

5. Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring the consumer's credit reports.

B. Notice to consumers under this section shall be given as written notice to the last known postal address in the records of the licensee, telephone notice, or electronic notice. However, if the licensee required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of consumers to be notified exceeds 100,000 consumers, or the licensee does not have sufficient contact information or consent to provide notice, substitute notice may be provided. Substitute notice shall consist of (i) e-mail notice if the licensee has e-mail addresses for the members of the affected class of consumers; (ii) conspicuous posting of the notice on the website of the licensee if the licensee maintains a website; and (iii) notice to major statewide media.

C. In the event that a licensee provides notice to more than 1,000 consumers at one time pursuant to this section, the licensee shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a (p), of the timing, distribution, and content of the notice.

D. Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. § 1692a.

E. Notice required by this section and § 38.2-625 may be delayed if, after the person notifies a law-enforcement agency, the law-enforcement agency determines and advises the person that the notice will impede a criminal or civil investigation or jeopardize national or homeland security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

F. If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this section. The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies a licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

2020, c. 38.2-625 .