Unlock unlimited alerts, exports & API access — RuleWatch Pro at $29/mo
Regulation dossier
A focused view of the rule, its enforcement posture, and the timeline teams should keep in their operating plan.
Plain-English summary
Virginia requires entities and state agencies that suffer qualifying breaches involving personal information to notify affected residents and, in many cases, the Attorney General. It affects businesses and public bodies that own or license personal information and sets timelines, notice content expectations, and substitute-notice rules.
Reading guide
Use the timeline below to see how the rule progressed from enactment to current obligations.
Related regulations surface adjacent requirements in the same jurisdiction or policy lane.
Timeline
Jul 1, 2008
Virginia's original data breach notification duties became effective for covered personal information.
Jul 1, 2019
Virginia amendments expanded breach-notice coverage and Attorney General notification obligations.
Jul 1, 2020
Virginia updated the breach notification statute again as part of later personal-information amendments.
Get email alerts when this regulation changes and export records to CSV for your compliance workflow — available with RuleWatch Pro.
Subscribe for regulation alerts
Free weekly digest for compliance professionals following material legal changes.
Related regulations
Pulled from the same jurisdiction or category so teams can compare adjacent obligations quickly.
Virginia, United States
Virginia now requires human decision-makers to remain responsible for major criminal justice decisions even when AI-based tools generate recommendations or predictions. It affects judicial officers and other criminal-justice decision-makers by limiting AI to an assistive role and preserving opportunities to challenge AI outputs.
Virginia, United States
Virginia gives consumers rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising, sale, and certain profiling. It applies to controllers and processors that meet statutory thresholds and requires privacy notices, data protection assessments, and contracts with processors. Sensitive data processing generally needs consumer consent.
Texas, United States
Texas gives certain businesses a safe harbor from exemplary damages after a breach if they implemented and maintained a qualifying cybersecurity program. It affects Texas businesses that handle sensitive personal information and pushes them toward recognized cybersecurity frameworks and scaled security controls.