VIRGINIA LAW PORTAL

• Code of Virginia
• Virginia Administrative Code
• Constitution of Virginia
• Charters
• Authorities
• Compacts
• Uncodified Acts
• RIS Users (account required)

SEARCHABLE DATABASES

• Bills & Resolutions
  session legislation
• Bill Summaries
  session summaries
• Reports to the General Assembly
  House and Senate documents
• Legislative Liaisons
  State agency contacts

ACROSS SESSIONS

• Subject Index: Since 1995
• Bills & Resolutions: Since 1994
• Summaries: Since 1994

Developed and maintained by the Division of Legislative Automated Systems.

2006 SESSION

• history | hilite | pdf | print version

066694464
HOUSE BILL NO. 1508 Offered January 20, 2006 A BILL to amend the Code of Virginia by adding sections numbered 59.1-443.3 and 59.1-443.4, relating to information privacy; access to consumer reports; notice of security breaches. ---------- Patron-- Plum ---------- Referred to Committee on Commerce and Labor ----------

Be it enacted by the General Assembly of Virginia:

1.  That the Code of Virginia is amended by adding sections numbered 59.1-443.3 and 59.1-443.4 as follows:

§ 59.1-443.3. Access to consumer reports.

A. As used in this section:

"Consumer" means any individual.

"Consumer report" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (i) credit or insurance to be used primarily for personal, family, or household purposes, except that nothing in this section authorizes the use of credit evaluations, credit scoring, or insurance scoring in the underwriting of personal lines of property or casualty insurance; (ii) employment purposes; or (iii) any other purpose authorized under 15 U.S.C. § 1681b.

"Consumer reporting agency" means any person that, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

B. Every consumer reporting agency shall, upon request from a consumer who is not covered by the free disclosures provided in subsections (a) through (d) of 15 U.S.C. § 1681j, clearly and accurately disclose to the consumer:

1. All information in the consumer's file at the time of the request, except that nothing in this subdivision shall be construed to require a consumer reporting agency to disclose to a consumer any information concerning credit scores or other risk scores or predictors that are governed by 15 U.S.C. § 1681g (f);

2. The sources of the information;

3. The identification of each person, including each end-user identified under 15 U.S.C. § 1681e, that procured a consumer report:

a. For employment purposes, during the two-year period preceding the date on which the request is made; or

b. For any other purpose, during the one-year period preceding the date on which the request is made;

4. An identification of a person under subdivision 3 of this subsection shall include:

a. The name of the person or, if applicable, the trade name, written in full, under which such person conducts business; and

b. Upon request of the consumer, the address and telephone number of the person;

5. Subdivision 3 of this subsection does not apply if:

a. The end user is an agency or department of the federal government that procures the report from the person for purposes of determining the eligibility of the consumer to whom the report relates to receive access or continued access to classified information as defined in 15 U.S.C. § 1681b (b)(4)(E)(i); and

b. The head of the agency or department makes a written finding as prescribed under 15 U.S.C. § 1681b (b)(4)(A);

6. The dates, original payees, and amounts of any checks upon which is based any adverse characterization of the consumer included in the file at the time of the disclosure or that can be inferred from the file;

7. A record of all inquiries received by the agency during the one-year period preceding the request that identified the consumer in connection with a credit or insurance transaction that was not initiated by the consumer; and

8. If the consumer requests the credit file and not the credit score, a statement that the consumer may request and obtain a credit score.

C. In the case of a request under subsection B, a consumer reporting agency may impose a reasonable charge on a consumer for making a report pursuant to this section, which charge:

1. Shall not exceed $2 for each of the first 12 requests from the consumer in a calendar year;

2. Shall not exceed $8 for any additional request beyond the initial 12 requests from the consumer in a calendar year; and

3. Shall be indicated to the consumer before making the disclosure.

D. In the case of a request under subsection B, a consumer reporting agency shall provide the consumer with an opportunity to access his report through all of the following means:

1. In writing;

2. In person, upon the appearance of the consumer at the place of business of the consumer reporting agency where disclosures are regularly provided, during normal business hours, and on reasonable notice;

3. By telephone, if the consumer has made a written request for disclosure;

4. By electronic means, if the agency offers electronic access for any other purpose; and

5. By any other reasonable means that is available from the agency.

E. A consumer reporting agency shall provide a report under subsection B no later than:

1. Twenty-four hours after the date on which the request is made, if the disclosure is made by electronic means, as requested under subdivision D 4; and

2. Five days after the date on which the request is made, if the disclosure is made in writing, in person, by telephone, or by any other reasonable means that is available from the agency.

§ 59.1-443.4. Notice of security breaches.

A.  Definitions. 

As used in this section:

"Breach of the security of the data" means unauthorized acquisition of computerized or noncomputerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. Good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector is not a breach of the security of the data, provided that the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure. Breach of the security of noncomputerized data may include but is not limited to unauthorized photocopying, facsimiles, or other paper-based transmittal of documents.

"Data collector" includes but is not limited to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personal information.

"Personal information" means an individual’s last name, address, or phone number in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or encrypted with an encryption key that was also acquired:

1. Social security number.

2. Driver’s license number or state identification card number.

3. Account number, credit or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords.

4. Account passwords or personal identification numbers or other access codes.

5. Biometric data.

6. Any of items 1 though 5 when not in connection with the individual’s last name, address or phone number if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records, provided that such publicly available information has not been aggregated or consolidated into an electronic database or similar system by the governmental agency or by another person.

B. 1. Except as provided in subdivision B 2, any data collector that owns or uses personal information in any form, whether computerized, paper, or otherwise, that includes personal information concerning a Virginia resident shall notify the resident that there has been a breach of the security of the data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision B 2, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

2. The notification required by this section may be delayed if a law-enforcement agency determines in writing that the notification may seriously impede a criminal investigation.

3. For purposes of this section, notice to consumers may be provided by one of the following methods:

a. Written notice.

b. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, for notices legally required to be in writing, set forth in 15 U.S.C. § 7001.

c. Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of (i) conspicuous posting of the notice on the Internet site of the agency or person, if the data collector maintains a public Internet site; and (ii) notification to major statewide media.  The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual’s personal data is included in the security breach.

4. The notification required by this section shall include:

a. To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including social security numbers, driver's license or State identification numbers and financial data;

b. A toll-free number that the individual may use to contact the data collector, or the agent of the data collector and from which the individual may learn (i) what types of information the data collector maintained about that individual or about individuals in general; (ii) whether or not the data collector maintained information about that individual; and (iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

5. The notification required by this section may be delayed if a law-enforcement agency determines, in writing, that the notification may impede a criminal investigation.

6. A person required to provide notification under this section shall provide or arrange for the provision of, to each individual to whom notification is provided under this section and on request and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than two months following a breach of security and continuing on a quarterly basis for a period of two years thereafter.

C. Any waiver of the provisions of this title is contrary to public policy, and is void and unenforceable.

D. Any individual injured by a violation of this section may, in addition to the remedies provided by § 59.1-444, institute a civil action to recover actual damages that exceed the limit of $100 of damages per violation set forth in that section.