New Cyber Incident Reporting Requirements Go Into Effect in Virginia

New laws requiring public bodies in Virginia to report cybersecurity threats and incidents have gone into effect.

These newly enacted laws (Acts of Assembly Chapters 626 and 627) require public bodies to report to the Virginia Fusion Intelligence Center (the "Center") “all known incidents that threaten the security of the commonwealth's data or communications or result in exposure of data protected by federal or state laws and all other incidents compromising the security of the public body's information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies.”  

Under this framework, “public body” is broadly defined. Per Code of Virginia § 2.2-5514, a public body includes:

• any legislative body;
• any court of the commonwealth;
• any authority, board, bureau, commission, district, or agency of the commonwealth;
• any political subdivision of the commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; 
• other organizations, corporations, or agencies in the commonwealth supported wholly or principally by public funds; and
• any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System.

Should a security incident or threat of a security incident occur, public bodies must make such reports to the Center within 24 hours of the discovery of the incident. To make reporting easier, the commonwealth has also launched a new website, where public bodies can log cyber incidents and other suspicious activity.

In addition to the incident reporting requirements, this newly enacted legislation requires Virginia’s chief information officer to convene a work group to review current cybersecurity reporting and information sharing practices. Members of the group will include representatives from the Virginia Data Advisory Commission, the Office of Data Governance and Analytics, the Virginia State Police, the Virginia Department of Emergency Management, the Virginia Information Technologies Agency, the Virginia Municipal League, the Virginia Association of Counties, and other relevant stakeholders.

If further legislative changes are recommended, the work group must report their findings and recommendations to the Governor as well as the chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation. This report is due by November 15, 2022.

Williams Mullen will be hosting a webinar about these new incident reporting requirements on Wednesday, August 31 at 11:30am EST. Kevin Pomfret, co-chair of the firm’s Data Protection & Cybersecurity practice, will be joined on the webinar by representatives from AIS Network and the Virginia Association of Counties. To register for the webinar, please click here.