Can I ignore my obligations as a service provider with access to personal information in Virginia? What are the requirements?

Based on the context documents, you cannot ignore your obligations as a service provider with access to personal information in Virginia. The Administration of systems including personal information; Internet privacy policy; exceptions [VACV 2.2-3803] outlines the requirements for agencies maintaining an information system that includes personal information. These requirements include collecting, maintaining, using, and disseminating only that personal information permitted or required by law, establishing appropriate safeguards to secure the system from any reasonably foreseeable threat to its security, and maintaining a list of all persons or organizations having regular access to personal information in the information system. Additionally, any client has the right to obtain their client record upon written or verbal request, with certain exceptions [22 VAAC 40-910-60].

Furthermore, if unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay [VACV 18.2-186.6(B)].

Therefore, it is important to comply with the regulations and requirements outlined in the relevant documents to avoid any legal consequences.

Jurisdiction

Virginia

• Privacy