For the second consecutive year Virginia has amended its data breach notification law. In March 2017, in light of a warning issued by the IRS to all employers regarding the resurgence of a W-2 based cyber scam, Virginia Governor Terry McAuliffe approved, a first of its kind, amendment to Virginia’s data breach notification statute. The amendment required employers and payroll service providers to notify the Virginia Office of the Attorney General of “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withheld for an individual”. Now, Virginia has again amended its data breach notification law. This amendment requires any income tax return preparer who has primary responsibility for accuracy of the preparation of a return or claim for refund (“signing income tax return preparer”) and who prepares Virginia individual income tax returns during a calendar year to notify Virginia’s Department of Taxation, without unreasonable delay, if they discover or are notified of a breach of “return information”. The new amendment, HB 183, will come into effect July 1, 2018.

Under the new amendment, “return information” is defined as “a taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

A signing income tax preparer required to notify the Department of Taxation of a breach must include:

  • names of affected taxpayers;
  • taxpayer identification numbers of affected taxpayers;
  • the name of the signed income tax preparer;
  • the tax preparer’s tax identification number; and
  • such other information as the Department of Taxation may prescribe.

Virginia continues a growing trend of states that have enacted or strengthened their data breach notification laws, of late. For more information on data breach notification law developments, see our recent articles: