Virginia Bill Would Require Notice When Personal Data Is Lost or Stolen
Two Virginia lawmakers said this week that they will introduce legislation requiring government agencies and businesses to notify Virginians if their personal information is lost or stolen.
Del. Robert Brink, D-Arlington, and Sen. Janet Howell, D-Fairfax, said at a news conference that their bill would help combat the fast-growing crime of identity fraud. Four percent of Americans have been victims of identity theft, Brink said.
“Giving people the right to know if their personal information is lost or stolen may seem like common sense, but Virginia has not followed the lead of 34 other states in requiring this important notification,” Brink said.
The legislators cited some high-profile security breaches in Virginia, including the exposure of thousands of taxpayers’ Social Security numbers in Hampton last July. An investigation determined faulty software was to blame.
The following month, a U.S. Veterans Affairs subcontractor in Reston lost a desktop computer containing as many as 38,000 veterans’ personal data, and Virginia Commonwealth University learned about 2,100 current and former students’ Social Security numbers had been available on the Internet for eight months.
Brink also noted that an investigation by Virginia’s auditor of public accounts last year found that a majority of state agencies are doing an unacceptable job protecting citizens’ private information.
The legislation will not have specific penalties for noncompliance but will authorize the attorney general’s office to bring action against any companies violating the notification requirement.
“This is not to penalize so much as to promote notification,” Brink said.
Notification could be given by mail, e-mail or telephone. A general public notice could be given in cases involving more than 250,000 people.
Hugh Keogh, president of the Virginia Chamber of Commerce, expressed some concerns about the notification mandate.
“If it became labor intensive it could be very bothersome,” he said.
However, the organization has not taken a position on the proposal, which is still being drafted.
“We will take a look at it, but there’s a general feeling businesses already have become more sensitive and judicious in how they deal with customers’ information,” Keogh said.