TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Virginia proposes new privacy statute imposing 'duty of care' Related reading: 10 years after: The EU's 'crunch time' on GDPR enforcement



Editor's Note:

After publishing this story on March 15, it was brought to our attention that the status of this proposal is that it was “passed by indefinitely” by the Commerce and Labor subcommittee indicating that while it’s possible that it would be revived, the Virginia legislature adjourned its 2019 session on Feb. 24 and it isn’t likely to pass. We apologize for any confusion this may have caused.

Virginia is one of a handful of states that has a wide variety of privacy statutes. It already has a breach notification statute, Va. Code §§ 18.2–186.6. In order to trigger the obligation to notify those affected by a breach, there has to be a "risk of harm" resulting from the unauthorized acquisition or access (breach) of personal information. In addition, Virginia Code §§ 32.1–127.1:05 covers the disclosure of health information by state and local governmental entities. There are exemptions under both statutes for breach reporting, including if information that is unlawfully acquired or accessed is redacted or encrypted. In early 2019, Virginia announced some additions to its privacy laws.

New proposed sections 

In the shadow of the EU General Data Protection Regulation, which went into effect in 2018, and the resurgence of global privacy laws, Virginia has proposed a new privacy statute, HB 2793, that imposes a duty of care on businesses on the disposal of personal information. HB 2793 applies to both paper and electronic records. Businesses that own, license or maintain personal information about customers will be required to comply with the bill.

The bill does not cover publicly available information that an individual has voluntarily disseminated and/or consented to be listed, such as a name, address or telephone number.

HB 2793 is not applicable to businesses regulated by state or federal laws that provide greater protections to personal information. Therefore, the bill does not apply to covered entities or business associates as defined by the Health Insurance Portability Accountability Act since both must follow stricter disposal requirements under HIPAA.

Important provisions: Duty of care

Businesses must take reasonable steps to dispose of customer records within their custody or control. These methods include shredding, erasing or otherwise modifying the personal information by making it unreadable or undecipherable through any means.

Additionally, businesses must implement and maintain reasonable security procedures and practices in order to protect the personal information from unauthorized access, destruction, use, modification or disclosure. The bill sites the following standards and best practices for cybersecurity and resiliency, including the Open Web Application Security Project Foundation’s Internet of Things Security Guidance and the IoT Security Foundation’s Best Practice Guidelines.


Manufacturers of devices that collect personal information must provide remediation steps, including patches, updates and setting changes to consumers without unreasonable delay, when that manufacturer becomes aware of existing vulnerabilities that put more than 500 consumers/users at risk. In addition, in such a situation, the manufacturer also has a duty to notify the office of the Chief Information Officer of the Commonwealth.

Transparency and accountability

Manufacturers are required to provide notices of patches and updates to those devices. Manufacturers of devices are liable for vulnerabilities that contribute to system breaches that compromise data.


In addition to the remedies provided under general breach notification statute, the bill provides a customer who suffers loss or pecuniary damage resulting from a violation of the provisions of this bill the right to bring an individual action to recover damages and reasonable attorney fees. Nonetheless, the bill expressly denies users of connected devices the right to bring a private right of action against manufacturers of those connected devices for violations under this bill.

If passed, HB 2793 would take effect Jan. 1, 2020. The recent passage of the GDPR has definitely influenced massive overhauls, amendments and creation of privacy laws globally. U.S. lawmakers are part of this resurgence, with the enactment of the CCPA and states passing privacy laws by the close of 2018. U.S. state laws vary in the application breach notification requirements, the types of applicable personal information, fines and individual remedies. Based on this, the U.S. may pass the first comprehensive federal data protection bill in the near future.

photo credit: Fire At Will [Photography] Virginia State Capitol via photopin (license)


If you want to comment on this post, you need to login.

  • comment David Holtzman • Mar 15, 2019
    Note that correct bill number is HB 2793.  This legislation was a one-house bill that died in the Commerce & Labor Committee on February 5th.  Better luck next year.
  • comment Victorianne Musonza • Mar 15, 2019
    Thank You David. The Bill # has been corrected.  The Bill's status is actually Passed Indefinitely but not failed.  The Virginia legislature it reserves the right to consider the bill at the next meeting. My article highlights the proposed legislation and does not assume the bill was passed. Here is a link to the current status of the bill can be found:
  • comment Thomas Gancarski • Mar 19, 2019
    Great article, thanks!