Effective July 1, 2017, the state of Virginia will require employers and payroll service providers to notify the attorney general without unreasonable delay if certain employee payroll data is compromised. Specifically, notification is required after an employer or payroll service provider discovers or is notified of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer if the incident:

  • Compromises the confidentiality of such data, and
  • Causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud.


HB 2113, sponsored by Del. Mark Keam, was intended to protect Virginians from income tax refund fraud, a type of fraud that is larger than previously estimated according to a new report from the Treasury Inspector General for Tax Administration.

“To give the government a fighting chance against these criminals, it’s critical that employers notify the attorney general’s office as soon as they discover a breach of their employees’ payroll data so that the Tax Department can prevent fraudulent income tax refunds from being processed.”

– Del. Mark Keam, in an interview with the Vienna Patch

Other interesting provisions in the bill:

  • An incident that only involves a taxpayer identification number in combination with the income tax withheld for that taxpayer would not trigger notification to affected individuals.
  • If notification to the attorney general is required, an employer or payroll service provider must provide the attorney general with the name and federal employer identification number of the affected employer.
  • For employers, the new notification obligation only applies to to information regarding the employer’s employees, not information regarding the employer’s customers or other non-employees.

Virginia Law Update-01.png

Virginia House Bill 2113

Click here to read the full text of this law.

Additional reading:

What this means for privacy and security teams

This requirement to notify the state attorney general’s office falls within a previously identified trend in state data breach notification laws, as attorneys general offices work to help consumers deal with the repercussion of a data breach.

If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you. You can expect to see changes in state data breach notification laws applied in RADAR the same day the law goes into effect. Summaries of all data breach notification statutes, including Virginia House Bill 2113, are available for reference within the RADAR Law Overviews.

Related reading: