Breach of Payroll Data

On March 13, 2017, Gov. McAuliffe signed SB 1033 into law. The new law amends the state’s rules related to notification following a breach of payroll data. Existing rules require an employer to notify any affected residents and the Office of the Attorney General if unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes or will cause identity theft or another fraud.

"Personal information" means the first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are neither encrypted nor redacted: social security number, driver’s license number or state identification card number, financial account or credit card number in combination with a security code or password.

Under the new law, notification would be required following a breach involving a taxpayer identification number in combination with the income tax withheld for that taxpayer.

The law applies to any employer that owns or licenses computerized data relating to income tax withheld.

SB 1033