Virginia Enacts Its Own Consumer Privacy Law
By Dredeir Roberts, In House Counsel at Core States Group and ABA Business Law Fellow
On March 2, 2021 Virginia’s Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law. The Act targets businesses that collect or sell “Personal Data” from Virginia consumers. Personal Data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Entities excluded from the Act’s requirements include non-profits and higher education institutions. This Act grants Virginia consumers several rights with respect to Personal Data, including the right to request access, the right to correct, and the right to delete their Personal Data from company records. While there is no express private right of action in the Act, an uncured violation alleged by the attorney general could bring about fines of up to $7,500 per violation. Qualifying businesses have until January 1, 2023 to become compliant with the Act.
Utah Enacts Cybersecurity Affirmative Defense Act
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
On March 11, 2021, the Governor of Utah signed into law the Cybersecurity Affirmative Defense Act, which provides affirmative defenses to a person that suffers a data breach if that person had in place a written cybersecurity program at the time of a data breach. Utah Code §78B-4-701 et seq. Utah becomes the second state (after Ohio) to enact such a law.
The affirmative defenses will apply to claims brought under Utah state law or in Utah courts that allege a person failed to implement reasonable security and thus suffered a data breach, or failed to appropriately respond to or notify an individual of a data breach. To qualify for the defenses, a person must create, maintain, and reasonably comply with a written cybersecurity program that meets specific criteria and reasonably comply with a “recognized cybersecurity framework”. Recognized frameworks includes certain industry frameworks, like those published by the National Institute of Standards and Technology or the International Organization for Standardization, and frameworks established by state or federal law, such as HIPAA or GLBA). The law takes effect May 5, 2021.