Virginia - Sectoral Privacy Overview
The Constitution of Virginia of 1971 does not provide for a general right to privacy.
2.1. Consumer Data Protection Act
On 2 March 2021, the Virginia Consumer Data Protection Act ('CDPA') was signed into law, through House of Delegates Bill 2307 and Senate Bill 1392, making Virginia the second US state, after California, to enact comprehensive privacy legislation of general applicability. The CDPA establishes a comprehensive framework for controlling and processing personal data of Virginia residents and its requirements become effective on 1 January 2023. As described in more detail below, this law provides Virginia residents with certain rights with respect to their personal data, and includes requirements relating to data minimisation, processing limitations, data security, non-discrimination, and data protection assessments. It also requires certain contract terms between controllers and processors and imposes certain requirements directly on processors.
Please note that on 11 April 2022, the Governor also approved three amendment bills to the CDPA, specifically, Senate Bill 534, House Bill 714, and House Bill 381 which amend the CPDA with respect to certain definitions, enforcement, and the right to deletion.
Under §59.1-575 the following are key definitions under the CDPA.
Personal data: Any information that is linked or reasonably linkable to an identified or identifiable natural person.
'Personal data' does not include de-identified data or publicly available information. 'Publicly available information' means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience. 'De-identified data' means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person. A controller that possesses 'de-identified data' must comply with certain requirements under the CDPA.
Sensitive data: A category of personal data that includes:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- personal data collected from a known child; or
- precise geolocation data.
Consumer: A natural person who is a resident of Virginia acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
Controller: The natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
Processor: A natural or legal entity that processes personal data on behalf of a controller.
Sale of personal data: The exchange of personal data for monetary consideration by the controller to a third party. 'Sale of personal data' does not include:
- disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- disclosure or transfer of personal data to an affiliate of the controller;
- disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or
- disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
Applicability and Exemptions
The CDPA applies to companies that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The law itself does not define what constitutes conducting business in Virginia or when products or services are targeted to Virginia residents. However, consistent with the extraterritorial application of other privacy regimes such as the California Consumer Privacy Act of 2018 ('CCPA') and the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the law contemplates application to businesses not physically established in Virginia (§59.1-576(A) of the CDPA).
The CDPA provides certain exemptions that apply at the entity level, as well as a number of exemptions that are specific to certain data or data processing activities. At the entity level, the law provides exemptions for financial institutions subject to the federal Gramm-Leach-Bliley Act of 1999 ('GLBA'), covered entities and business associates subject to the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), non-profit organisations, institutions of higher education, and Virginia government entities. The law's data-specific exemptions include (§59.1-576(B) of the CDPA):
- data that is subject to the GLBA;
- protected health information under HIPAA;
- certain other types of health, patient, and research data;
- data processed in an employment context or in a business to business context; and
- certain personal data processing in compliance with the federal Fair Credit Reporting Act of 1970 ('FCRA'), the federal Driver's Privacy Protection Act of 1994, the federal Family Educational Rights and Privacy Act of 1974 ('FERPA'), and the federal Farm Credit Act of 1971.
The CDPA also provides that it is not to be construed to restrict a controller's or processor's ability to engage in certain activities. These 'limitations' of the law include, for example (§59.1-582(A) of the CDPA):
- complying with federal, state, or local laws, rules, or regulations;
- complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by governmental authorities;
- cooperating with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; or
- investigating, establishing, exercising, preparing for, or defending legal claims.
The law also provides that its obligations will not restrict a controller's or processor's ability to collect, use, or retain data to (§59.1-582(B) of the CDPA):
- conduct internal research to develop, improve, or repair products, services, or technology;
- effectuate a product recall;
- identify and repair technical errors that impair existing or intended functionality; or
- perform certain internal operations.
Notably, if a controller processes personal data under one of the CDPA's limitations, the controller bears the burden of demonstrating that the processing qualifies for the limitation and that it complies with certain requirements applicable to processing pursuant to a limitation (§59.1-582(G) of the CDPA).
Individual Privacy Rights
Similar to other comprehensive data privacy laws, such as the GDPR, the CCPA and the California Privacy Rights Act of 2020 ('CPRA'), the CDPA provides individuals with a number of privacy rights. In particular, the CDPA provides consumers with the right to (§59.1-577(A) of the CDPA):
- confirm whether a controller is processing the consumer's personal data and to access such personal data;
- correct inaccuracies in the consumer's personal data;
- delete personal data provided by or obtained about the consumer; and
- obtain a copy of certain personal data in some circumstances.
The CDPA also provides consumers with the right to opt out of certain processing. Specifically, consumers may opt out of processing personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (§59.1-577(A)(5) of the CDPA).
Controllers must respond to a consumer's requests free of charge, up to twice annually. Such response must be made within 45 days of receiving the consumer's request, unless the controller satisfies the conditions and requirements for a 45-day extension (§59.1-577(B) of the CDPA). Controllers must also provide an appeals process for consumers who are dissatisfied with the controller's response or decision regarding the consumer’s rights request (§59.1-577(C) of the CDPA).
Notably, the CDPA states that it must not be construed to require a controller or processor to comply with a consumer rights request if (§59.1-581(C) of the CDPA):
- the controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
- the controller does not use the personal data to recognise or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
- the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted under the §59.1-581 of the CDPA.
Key Controller Responsibilities
The CDPA imposes a number of restrictions and obligations on controllers, including collection and use limitations, and obligations pertaining to data security, non-discrimination, consent, and transparency. More specifically, except as otherwise provided in the law, controllers must (§59.1-578(A) of the CDPA):
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is processed;
- only process personal data for purposes that are reasonably necessary or compatible with the disclosed purposes for which the personal data is processed, unless the controller obtains the consumer's consent;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers and not discriminate against a consumer for exercising privacy rights under the law;
- not process sensitive data without obtaining the consumer's consent; and
- provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes certain required information, including how the consumer may opt out of targeted advertising or sales of personal data, if the controller engages in such activities.
Certain requirements under the CDPA do not apply to pseudonymous data, provided that the controller can demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organisational controls that prevent the controller from accessing such information (§59.1-581(D) of the CDPA). In addition, requirements that apply to personal data under the CDPA do not apply to de-identified data because de-identified data is excluded from the definition of personal data. However, the CDPA includes certain obligations that apply specifically to de-identified data; namely, a controller in possession of de-identified data must (§59.1-581(A) and (E) of the CDPA):
- take reasonable measures to ensure that the data cannot be associated with a natural person;
- publicly commit to maintaining and using de-identified data without attempting to re-identify the data;
- contractually obligate any recipients of the de-identified data to comply with all provisions of the CDPA; and
- exercise reasonable oversight to monitor and enforce the recipient's compliance with the contractual commitments.
Roles of Controllers and Processors
The CDPA requires a binding contract between controllers and processors that governs the processing of personal data by the processor on behalf of the controller. The contract must include instructions for the data processing, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of the controller and processor. The contract must also include obligations relating to confidentiality, deletion or return of the personal data, the processor's compliance with the contract, compliance assessments, and subcontracting (§59.1-579(B) of the CDPA).
In addition to controller/processor contract requirements, the CDPA also imposes obligations directly on processors to adhere to the instructions of a controller and to assist the controller in meeting the controller's obligations under the CDPA, including (§59.1-579(A) of the CDPA):
- fulfilling the controller's obligation to respond to consumer rights requests;
- assisting the controller in meeting the controller's obligations regarding data security and breach notification; and
- providing necessary information to enable the controller to conduct and document data protection assessments.
Data Protection Assessments
The CDPA requires controllers to conduct and document data protection assessments for processing activities involving personal data that present a heightened risk of harm to consumers, including (§59.1-580(A) of the CDPA):
- processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- profiling, where such profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers; and
- processing of sensitive data.
Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards the controller can implement to reduce such risks. The assessment of the benefits against the risks must take into account the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed (§59.1-580(B) of the CDPA).
The obligation to conduct data protection assessments is not retroactive and will apply only to processing activities created or generated after 1 January 2023 (§59.1-580(F) of the CDPA). Also, an assessment conducted by a controller to comply with other laws or regulations may satisfy the CDPA's requirement to conduct a data protection assessment, if the assessments have a reasonably comparable scope and effect (§59.1-580(D) and (E) of the CDPA).
Virginia's Attorney General ('AG') may request, and a controller must provide, any data protection assessment that is relevant to an investigation by the AG. Data protection assessments will be kept confidential and will be exempt from public inspection and copying under Virginia's Freedom of Information Act ('Virginia FOIA'). Also, the CDPA states that disclosure of a data protection assessment pursuant to a request from the AG will not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment (§59.1-580(C) of the CDPA).
The AG has exclusive authority to enforce the CDPA, and the CDPA does not provide a private right of action (§59.1-584(A) and (E) of the CDPA). The law includes a 30-day cure period pursuant to which the AG must provide 30 days' written notice to the controller or processor, as applicable, identifying the specific requirements of the CDPA alleged to have been violated. If, within the 30-day cure period, the controller or processor provides to the AG with an express written statement that the alleged violations have been cured and that no further violations will occur, the AG will not initiate an action against the controller or processor (§59.1-584(B) of the CDPA). However, if the controller or processor continues to violate the CDPA after the cure period or violates its express written statement provided to the AG, the AG may initiate an action and seek an injunction and civil penalties of up to $7,500 for each violation (§59.1-584(C) of the CDPA). The AG may also recover reasonable expenses, including attorney fees (§59.1-584(D) of the CDPA).
2.2. Personal Information Privacy Act
Virginia's Personal Information Privacy Act, under §59.1-442 et seq. of Chapter 35 of Title 59.1 of the Virginia Code (Va. Code), provides the following privacy protections.
Restriction on the sale of personal information by brick and mortar merchants
This restriction prohibits the sale of personal information by brick and mortar merchants unless reasonable notice is provided. The merchant is also required to honour do-not-sell requests. This restriction also prohibits the sale of personal information that is collected solely as the result of a customer's payment by personal check, credit card, or where the merchant records the number of the customer's driver's license or other document issued under §46.2-300 et seq. of Chapter 3 of Subtitle II of Title 46.2 of the Va. Code or the comparable law of another jurisdiction. This restriction does not apply to (Va. Code §59.1-442 to §59.1-443):
- information gathered to extend credit or to record the sale, rental, exchange or disclosure to others of information obtained from any public body;
- the sale of information concerning a check or credit card transaction when it is incidental to the sale or other disposition of accounts receivable;
- a merchant furnishing information on check writing activity of its customers in conjunction with check validation transactions; or
- information sold in connection with any sale by a business of the business's retail operations at one or more locations, if the information is sold only to the purchaser.
Prohibition on the collection of date of birth in connection with accepting a check as payment
This requirement prohibits any person who accepts checks for the transaction of business from recording, requesting, or requiring a person to record their date of birth on the check or elsewhere, as a condition of accepting the check. This does not prohibit requiring a person paying by check to provide their year of birth, and it does not apply to the collection or use of a date of birth that is unrelated to accepting payment by check (Va. Code §59.1-443(1)).
Restriction on the use of social security numbers
This restriction prohibits:
- intentionally communicating another individual's social security number to the general public;
- printing an individual's social security number on any card required for the individual to access or receive products or services;
- requiring an individual to use their social security number to access a website, unless a password, unique personal identification number or other authentication device is also required to access the website;
- sending mail that displays a social security number on the face of the mailing, or from which a social security number is visible; and
- embedding an encrypted or unencrypted social security number in or on a card or document (e.g., via bar code, chip, magnetic strip) instead of removing the social security number as required by the law.
These restrictions do not apply to public bodies. These restrictions also do not prohibit the collection, use, or release of a social security number as permitted by Virginia or federal laws, or the use of a social security number for internal verification or administrative purposes unless such use is prohibited by state or federal law (Va. Code §59.1-443(2)).
Restriction on the purposes for which a merchant may scan a driver's license or other document issued by the Department of Motor Vehicles
This restriction prohibits a merchant from scanning the machine-readable portion of a driver's license or other document issued by the Department of Motor Vehicles ('DMV') under Va. Code §46.2-300 et seq. or the comparable law of another jurisdiction, except to (Va. Code §59.1-443(3)):
- verify authenticity of the driver's license or other document or to verify the identity of the individual if the individual pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
- verify an individual's age when providing age-restricted goods or services to the individual if there is a reasonable doubt that the individual is 18 years of age or older;
- prevent fraud or other criminal activity if an individual returns an item or requests a refund or an exchange and the merchant uses a fraud prevention service company or system, provided that only the individual's name, address, date of birth, and the number of the driver's license number or other document are collected via scanning;
- comply with a requirement imposed on the merchant by Virginia or federal law;
- provide a legitimate check services company that receives information obtained from an individual's driver's license or other document to administer or enforce a transaction or to prevent fraud or other criminal activity; or
- complete a transaction permitted under the GLBA or the FCRA.
This restriction also prohibits a merchant from retaining any information obtained from scanning a driver's license or other document, except as permitted in the cases above. A merchant is also prohibited from selling or disseminating to a third party any information obtained from scanning a driver's license or other document for any marketing, advertising, or promotional purpose; however, this does not prohibit a merchant from disseminating to a third party such information for a purpose described above. Notably, any waivers of these privacy protections are deemed void and unenforceable.
Except with respect to the restriction on the use of social security numbers, a person aggrieved by a violation of the Personal Information Privacy Act is entitled to recover damages in the amount of $100 per violation plus reasonable attorney's fees and court costs. A violation of the use of social security numbers is a prohibited practice under the Virginia Consumer Protection Act, under §59.1-196 et seq. of Chapter 17 of Title 59.1 of the Va. Code. A person who suffers loss as the result of a violation of Virginia's Consumer Protection Act may recover actual damages or $500, whichever is greater, and damages may be tripled or $1,000, whichever is greater, for a wilful violation. A successful claimant may also be awarded reasonable attorney's fee and court costs (Va. Code §59.1-444).
2.3. Personal information breach notification
Like every state in the US, Virginia has enacted a personal information breach notification law, under §18.2-186.6 of Article 5 of Chapter 6 of Title 18.2 of the Va. Code ('the Breach Notification Law'). Virginia's Breach Notification Law applies to individuals, government, businesses, and any other legal entity, whether for profit or not for profit (Va. Code §18.2-186.6(B)). It does not, however, apply to an individual or entity regulated by the State Corporation Commission's ('SCC') Bureau of Insurance, or to certain criminal intelligence systems and a certain criminal street gang file of the Virginia Criminal Information Network (Va. Code §18.2-186.6(L)).
Under Virginia's Breach Notification Law, if unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorised person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any Virginia resident, an individual or entity that owns or licenses computerised data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the AG and any affected Virginia resident without unreasonable delay (Va. Code §18.2-186.6(B)). The following definitions are key to understanding whether the law's notification obligations are triggered.
Personal information: A Virginia resident's first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
- social security number;
- driver's license number or state identification card number issued in lieu of a driver's license number;
- financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts;
- passport number; or
- military identification number.
'Personal information' does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public (Va. Code §18.2-186.6(A)).
Breach of the security of the system: The unauthorised access and acquisition of unencrypted and unredacted computerised data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any Virginia resident. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorised disclosure (Va. Code §18.2-186.6(A)).
Encrypted: The transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable. Notification must be provided if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any Virginia resident (Va. Code §18.2-186.6(A) and §18.2-186.6(C)).
Redact: Alteration or truncation of data such that no more than the following are accessible as part of the personal information: five digits of a social security number; or the last four digits of a driver's license number, state identification card number, or account number (Va. Code §18.2-186.6(A)).
Like most personal information breach notification laws, Virginia's Breach Notification Law allows notification to be delayed in certain circumstances. In particular, notification may be reasonably delayed to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system. Notification may also be delayed if, after notifying law enforcement, law enforcement advises that providing notice will impede a criminal or civil investigation, or homeland or national security. In the event of a law enforcement delay, notification must be made without unreasonable delay after law enforcement determines that the notification will no longer impede the investigation or jeopardise national or homeland security (Va. Code §18.2-186.6(B)).
Notification to affected individuals must be provided in writing to the last known postal address, by telephone, or by electronic notice. Alternatively, substitute notice is allowed if the cost of providing notice by postal mail, telephone or electronically will demonstrably exceed $50,000, the affected class of Virginia residents to be notified exceeds 100,000 residents, or the individual or the entity does not have sufficient contact information or consent to provide notice by postal mail, telephone or electronically. Substitute notification must be provided by email notice (if the email address is known), conspicuous website posting (if the individual or entity maintains a website) and notice to major state-wide media (Va. Code §18.2-186.6(A)).
Notification to affected individuals must include the following (Va. Code §18.2-186.6(A)):
- a description of the incident in general terms;
- the type of personal information that was subject to the unauthorised access and acquisition;
- the general acts of the individual or entity to protect the personal information from further unauthorised access;
- a telephone number that the person may call for further information and assistance, if one exists; and
- advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
If notification is provided to more than 1,000 persons, the individual or entity must notify the AG and nationwide consumer reporting agencies. Such notification must be provided without unreasonable delay and must provide information regarding the timing, distribution, and content of notification to affected persons (Va. Code §18.2-186.6(E)).
Virginia's Breach Notification Law also includes what is commonly referred to as a 'service provider notification obligation', which requires an individual or entity that maintains computerised data that includes personal information that the individual or entity does not own or license to notify the owner or licensee of the information without unreasonable delay, if the individual or entity knows or reasonably believes that such information was accessed and acquired by an unauthorised person (Va. Code §18.2-186.6(D)).
An entity may be deemed to be in compliance with the Breach Notification Law under the following circumstances:
- the entity maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information that are consistent with the timing requirements of the Virginia's Breach Notification Law and notifies Virginia residents in accordance with such procedures (Va. Code §18.2-186.6(F));
- the entity is subject to Title V of the GLBA and maintains procedures for notification of a breach of the security of the system in accordance with the provision of GLBA (Va. Code §18.2-186.6(G)); or
- the entity complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity's primary or functional state or federal regulator (Va. Code §18.2-186.6(H)).
The Breach Notification Law is enforced by the AG, who may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. A violation by a state-chartered or licensed financial institution is enforced exclusively by the financial institution's primary state regulator. Virginia's breach notification law does not limit an individual from recovering direct economic damages for a violation of the law (Va. Code §18.2-186.6(I)).
In 2017, Virginia amended its Breach Notification Law to require an employer or payroll service provider that owns or licenses computerised data relating to income tax withholding to notify the AG after the discovery or notification of unauthorised access and acquisition of unencrypted and unredacted computerised data that contains a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorised person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. Such notice must be provided without unreasonable delay and must include the name and federal employer identification number of the employer that may be affected by the compromise. Upon receipt of such notice, the AG is required to notify the Department of Taxation about the compromise. Notably, notification required by this amendment for a breach that does not otherwise require notification under the Breach Notification Law is not subject to any other notification, requirement, exemption, or penalty under the Breach Notification Law (Va. Code §18.2-186.6(M)).
In the event of a personal information breach, organisations are at risk of regulatory enforcement action. For example, the AG has joined in a number of high-profile, multi-state enforcement actions, including the $600 million settlement with Equifax in 2019 (which includes $4,302,173.75 for Virginia), the $148 million settlement with Uber in 2018 (which includes $2,956,512.59 for Virginia), and the $18.5 million settlement with Target in 2017 (which includes $352,710.80 for Virginia).
Organisations are also at risk of civil litigation brought by individuals whose personal information was compromised in a data breach. In such lawsuits, plaintiffs have alleged a variety of claims, including negligence, breach of contract, breach of fiduciary duty, breach of a duty of confidentiality, and violation of statutes, such as the Breach Notification Law. Although these cases are highly fact-specific, plaintiffs have generally struggled to establish injury. For example, in litigation following a cyberattack on Sony Pictures Entertainment, Inc. in 2014, various claims were filed against Sony, including a claim that Sony had violated Virginia's personal information breach notification statute by failing to notify plaintiffs for at least three weeks that their personal information had been compromised. The court dismissed this claim without leave to amend stating that the plaintiffs failed to plausibly allege any injury resulting from Sony's alleged untimely notification and that, based on the facts alleged, the plaintiffs cannot plausibly cure this defect (Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 RGK (Ex) (C.D. Cal. June 15, 2015)).
3.1. Virginia medical records privacy law
The Virginia Medical Records Privacy Law, under §32.1-127.1:03 of Article 1 of Chapter 5 of Title 32.1 of the Va. Code, provides an individual with privacy rights in the content of their health records and generally applies to health care entities and people working in a health care setting. It includes a variety of requirements regarding access to health records, permitted and prohibited disclosures, and exceptions. Although this law does not specifically provide for a private right of action, in 2010, a Federal District Court for the Eastern District of Virginia found that Virginia would recognise a private cause of action under a negligence theory for violation of a duty imposed by this law, such as the duty of a health care entity (or other person working in a health care setting) not to disclose an individual's health records (Harris v. United States, No. 3:10cv00027 (E.D. Va. June 08, 2010)).
Notably, the federal HIPAA pre-empts in the event of a conflict between Virginia's law and HIPAA; however, a state law that is more stringent than HIPAA will typically apply.
3.2. Health record storage
The Health Record Storage Law, under §32.1-127.1:01 of Article 1 of Chapter 5 of Title 32.1 of the Va. Code, permits health records to be stored by computerised or other electronic process or microfilm, or other photographic, mechanical, or chemical process, so long as the stored record identifies the location of any documents or information that could not be technologically stored. It also permits destruction of paper copies of health records that have been stored by computerised or other electronic process, microfilm, or other photographic, mechanical, or chemical process, so long as the technological storage process creates an unalterable record and the paper records are destroyed in a manner that preserves the patient's confidentiality. Prescription dispensing records maintained in or on behalf of a pharmacy registered or permitted in Virginia are subject to additional storage requirements.
3.3. Medical information breach notification
In addition to the Breach Notification Law described above, Virginia has also enacted the Medical Information Breach Notification Law, under §32.1-127.1:05 of Article 1 of Chapter 5 of Title 32.1 of the Va. Code, that applies specifically to:
- any authority, board, bureau, commission, district or agency of Virginia or of any political subdivision of Virginia, including cities, towns and counties, municipal councils, governing bodies of counties, school boards and planning commissions;
- boards of visitors of public institutions of higher education; and
- other organisations, corporations, or agencies in Virginia supported wholly or principally by public funds.
The Medical Information Breach Notification Law does not apply to a person or entity who is a covered entity or business associate under HIPAA and is subject to requirements for notification in the case of a breach of protected health information; or a person or entity who is a non-HIPAA-covered entity subject to the Health Breach Notification Rule promulgated by the Federal Trade Commission (Va. Code §32.1-127.1:05(F)).
Notification requirements are triggered when there is a breach of the security of the system involving medical information (Va. Code §32.1-127.1:05(B)). 'Breach of the security of the system', 'encrypted', and 'redact' are defined substantially similarly to how those terms are defined in the Breach Notification Law described above.
'Medical information' is defined as the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a Virginia resident, when the data elements are neither encrypted nor redacted: any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
Medical information does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public (Va. Code §32.1-127.1:05(A)).
The requirements regarding how notification must be provided, the timing and content of notification, and the service provider notification obligation are substantially similar to such requirements in the Breach Notification Law. In addition to requiring notification to affected individuals and the AG, the Medical Information Breach Notification Law also requires notification to the Commissioner of Health (Va. Code §32.1-127.1:05(A)-(E)).
An entity may be deemed to be in compliance with the Medical Information Breach Notification Law if the entity complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, and guidelines established by the entity's primary or functional state or federal regulator (Va. Code §32.1-127.1:05(G)).
3.4. Confidentiality for HIV test results
The Confidentiality for HIV Test Results Law, under §32.1-36.1 of Article 1 of Chapter 2 of Title 32.1 of the Va. Code, protects the results of HIV tests as confidential and prohibits releasing such test results, except to persons or entities permitted or authorised to obtain protected health information under an applicable federal or state law. This law may be enforced by the AG who may obtain a civil penalty of up to $5,000 per violation. Also, any person who is the subject of an unauthorised disclosure under this law is entitled to a private right of action for actual damages, if any, or $100, whichever is greater, and may also be awarded reasonable attorney's fees and court costs.
3.5. Various other medical-related privacy laws
Virginia has enacted various other laws relating to health information, including laws that address:
- transfers of medical information in connection with closure of a medical practice (Va. Code §54.1-2405);
- disclosures of medical information to emergency services personnel (Va. Code §32.1-116.1:1);
- reporting of communicable and other diseases (Va. Code §32.1-36);
- access to mental health records (Va. Code §37.2-400(A)(8));
- and state-maintained medical registries, such as hearing impairment (Va. Code §32.1-64.2), new-born screening (Va. Code §32.1-67.1), sickle cell screening (Va. Code §32.1-69), congenital anomalies (Va. Code §32.1-69.2), and cancer (Va. Code §32.1-71).
4.1. Insurance information and privacy protection
The Insurance Information and Privacy Protection Act, under §38.2-600 et seq. of Chapter 6 of Title 38.2 of the Va. Code, establishes standards for the collection, use, and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organisations. It includes the following privacy protections:
- restrictions on pretext interviews;
- various notice requirements;
- content requirements for disclosure authorisation forms;
- restrictions on preparing or requesting investigative consumer reports;
- individual rights to access, correct, amend or delete personal information;
- restrictions on seeking information about previous adverse underwriting decisions;
- restrictions on the basis for which adverse underwriting decisions may be made;
- restrictions on disclosing financial information;
- restrictions on disclosing medical-record or privileged information; and
- information security requirements.
The SCC may enforce this law, and individuals may also seek remedies for certain violations.
4.2. Security freeze rights
§59.1-444.2. of Chapter 35.1 of Title 59.1 of the Va. Code on security freezes requires a consumer reporting agency to place a security freeze on a consumer's credit report, if the consumer makes such a request by certified mail or other authorised secure method at the address designated by the agency to receive such requests. Subject to certain exceptions, a freeze prohibits consumer reporting agencies from releasing a consumer's credit report or any information from the report. The law does not prohibit consumer reporting agencies from informing third parties that a security freeze is in effect, so long as the agency does not indicate that the freeze reflects a negative credit score, history, report, or rating. The law includes provisions relating to timing and procedure requirements, temporarily lifting of a security freeze, permanent removal of a security freeze, exclusions, restrictions, fees, specific provisions for protected consumers (e.g., persons under 16 years of age), and notification requirements.
A person who wilfully fails to comply with this law with respect to a consumer will be liable to that consumer in an amount equal to the sum of (Va. Code §59.1-444.2(Q)):
- any actual damages sustained by the consumer as a result of the failure or damages of between $100 and $1,000;
- such amount of punitive damages as the court may allow; and
- the costs of the action together with reasonable attorney fees as determined by the court.
A person who negligently fails to comply with this law with respect to a consumer will be liable to that consumer in an amount equal to the sum of (Va. Code §59.1-444.2(S)).:
- any actual damages sustained by the consumer as a result of the failure; and
- the costs of the action together with reasonable attorney fees as determined by the court.
A person who obtains a consumer report, requests a security freeze, requests the temporary lift of a security freeze, or the removal of a security freeze from a consumer reporting agency under false pretences or in an attempt to violate federal or state law will be liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency or $1,000, whichever is greater (Va. Code §59.1-444.2(R)).
For certain violations, the AG has the exclusive authority to bring an action. In such case, the AG may cause an action to be brought in the name of the Commonwealth of Virginia to enjoin the violation and to recover damages for aggrieved consumers consistent with the limits set forth above. If the court finds a wilful violation, the court may, in its discretion, also award a civil penalty of up to $1,000 per violation, to be deposited in the Literary Fund of the Commonwealth. The AG may also recover any costs, the reasonable expenses incurred in investigating and preparing the case, and attorney fees (Va. Code §59.1-444.2(U)).
Upon a finding by the court that an unsuccessful pleading, motion, or other paper filed in connection with an action under this section was filed in bad faith or for purposes of harassment, the court will award to the prevailing party attorney fees reasonable in relation to the work expended in responding to the pleading, motion, or other paper (Va. Code §59.1-444.2(T)).
Notably, in 2018, §605A(i)(5) was added to the FCRA, and includes federal requirements for placing, temporarily lifting and removing security freezes, and prohibiting imposition of fees by a consumer reporting agency for such services.
5.1. Release of employee's personal identifying information
Under §40.1-28.7:4 of Article 1 of Chapter 3 of Title 40.1 of the Va. Code, an employer is prohibited from being required to release, communicate, or distribute to a third party any current or former employee's home telephone number, mobile telephone number, email address, shift times, or work schedule, except:
- as required by federal law that pre-empts this law;
- as ordered by a court of competent jurisdiction;
- as required pursuant to a warrant issued by a judicial officer; or
- as required by a subpoena issued in a pending civil or criminal case, or by discovery in a civil case.
5.2. Social media accounts of current and prospective employees
§40.1-28.7:5 of Article 1 of Chapter 3 of Title 40.1 of the Va. Code prohibits a private or government employer from requiring a current or prospective employee to (1) disclose the username and password to the current or prospective employee's social media account; or (2) add an employee, supervisor, or administrator to the list of contacts associated with the current or prospective employee's social media account. It also prohibits an employer from accessing an employee's social media account using a username and password, or other login credentials, the employer inadvertently obtained through the use of an electronic device provided to the employee by the employer or a program that monitors an employer's network. In such a circumstance, the employer will not be liable for having the login credentials so long as it does not use the information in violation of this law.
This law also prohibits an employer from taking action against or threating to discharge, discipline, or otherwise penalise a current employee for exercising their rights under this law, or failing or refusing to hire a prospective employee for exercising their rights under this law (Va. Code §40.1-28.7:5(D)). It does not prohibit an employer from viewing information about a current or prospective employee that is publicly available (Va. Code §40.1-28.7:5(E)). It also does not prevent an employer from complying with the requirements of federal, state, or local laws, rules, or regulations or the rules or regulations of self-regulatory organisations, or affect an employer's existing rights or obligations to request an employee to disclose their username and password for the purpose of accessing a social media account if the employee's social media account activity is reasonably believed to be relevant to a formal investigation or related proceeding by the employer of allegations of an employee's violation of federal, state, or local laws or regulations or of the employer's written policies (Va. Code §40.1-28.7:5(F)).
5.3. Genetic testing or genetic characteristics as a condition of employment
§40.1-28.7:1 of Article 1 of Chapter 3 of Title 40.1 of the Va. Code prohibits an employer from (1) requesting, requiring, soliciting or administering a genetic test to any person as a condition of employment; or (2) refusing to hire, failing to promote, discharging or otherwise adversely affecting any term or condition of employment of any employee or prospective employee solely on the basis of a genetic characteristic, or the results of a genetic test, regardless of how the employer obtained such information or results. This does not preclude the use of information related to a criminal investigation (Va. Code §40.1-28.7:1(A)). The employee may bring an action against an employer who took adverse action against the employee in violation of this law. The court may, in its discretion, award actual or punitive damages, including back pay with interest. (Va. Code §40.1-28.7:1(B)).
5.4. Employee references
§8.01-46.1 of Article 4 of Chapter 3 of Title 8.01 of the Va. Code protects an employer that, on the request of a person's prospective or current employer, furnishes information about the person's professional conduct, reasons for separation, or job performance, including information in written performance evaluations, from civil liability, if the employer is not acting in bad faith. An employer will be presumed to be acting in good faith. The presumption of good faith can be rebutted if it is shown by clear and convincing evidence that the employer disclosed the information with knowledge that it was false, or with reckless disregard for whether it is true or false, or with the intent to deliberately mislead (Va. Code §8.01-46.1(A)). In a civil action brought against an employer for disclosing such information, punitive damages may be awarded if the trier of fact determines the employer acted in bad faith (Va. Code §8.01-46.1(B)).
5.5. Protection of driving records
§46.2-208 of Article 1 of Chapter 2 of Subtitle I of Title 46.2 of the Va. Code generally protects certain records maintained by the DMV; however, the DMV is permitted to release information in certain circumstances. For example, upon the written request of an employer or prospective employer and with the consent of the data subject, the DMV may compare personal information supplied by the employer with its records and, if different from the information supplied, may provide the employer with the correct information and may also provide the employer with an abstract of the data subject's driving record, so long as the employment position at issue involves the operation of a motor vehicle (Va. Code §46.2-208(B)(11)).
5.6. Employee monitoring
§18.2-167.1 of Article 8 of Chapter 5 of Title 18.2 of the Va. Code governing the interception or monitoring of customer telephone calls prohibits any person, firm or corporation from intercepting or monitoring, or attempting to intercept or monitor a telephone call between an employee (or other agent) and a customer, unless the person, firm or corporation gives notice to the employee (or agent) that such monitoring may occur at any time during the course of employment. The provisions of this law do not apply to any wiretap or other interception of any communication authorised pursuant to Virginia's wiretap law. A violation of this law is a Class 4 misdemeanour.
Virginia employers should also be mindful of laws such as Virginia's wiretap law noted below, especially with respect to employee monitoring practices.
See section 2.1. above regarding Virginia's CDPA, which includes comprehensive data privacy requirements. Also, as noted above, Va. Code §40.1-28.7:5 prohibits an employer from requiring a current or prospective employee to disclose the username and password to their social media account, which protects the online privacy of such current or prospective employee.
§18.2-152.3:1(A) of the Virginia Computer Crimes Act under §18.2-152.1 et seq. of Article 7.1 of Chapter 5 of Title 18.2 of the Va. Code prohibits:
- using a computer or computer network with the intent to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of spam through or into the computer network of an electronic mail service provider or its subscribers; or
- knowingly selling, giving, or otherwise distributing or possessing with the intent to sell, give, or distribute software that:
- is primarily designed or produced for the purpose of facilitating or enabling the falsification of the transmission information or other routing information of spam;
- has only limited commercially significant purpose or use other than to facilitate or enable the falsification of the transmission information or other routing information of spam; or
- is marketed by that person acting alone or with another for use in facilitating or enabling the falsification of the transmission information or other routing information of spam.
A violation is a Class 1 misdemeanour (Va. Code §18.2-152.3:1(A)). A violation of provision (1) when the volume of spam transmitted exceeded 10,000 attempted recipients in any 24-hour time period, 100,000 attempted recipients in any 30-day time period, or one million attempted recipients in any one-year time period or when the revenue generated from a specific transmission of spam exceeded $1,000 or the total revenue generated from all spam transmitted to any email marketing service provider exceeded $50,000, is a Class 6 felony (Va. Code §18.2-152.3:1(B)). Knowingly hiring, employing, using, or permitting any minor to assist in the transmission of spam in violation of (2) above is a Class 6 felony (Va. Code §18.2-152.3:1(C)). Virginia's Computer Crimes Act also provides for certain civil actions (Va. Code §18.2-152.12).
7.2. Virginia Telephone Privacy Protection Act
The Virginia Telephone Privacy Protection Act, under §59.1-510 et seq. of Chapter 32 of Title 59.1 of the Va. Code, prohibits a telephone solicitor from initiating a solicitation call when a person has previously stated that they do not wish to receive the call. Any such request must be honoured for ten years (Va. Code §59.1-514(A)). A telephone solicitor is also prohibited from initiating a solicitation call to a telephone number on the National Do Not Call Registry maintained by the FTC (Va. Code §59.1-514(B)).
Solicitation calls do not include a telephone call made to any person:
- with that person's prior express invitation or permission as evidenced by a signed, written agreement stating that the person agrees to be contacted by or on behalf of a specific party and including the telephone number to which the call may be placed;
- with whom the person on whose behalf the telephone call is made has an established business relationship; or
- with whom the telephone solicitor making the telephone call has a personal relationship.
The exemption for an established business relationship or a personal relationship does not apply when the person called previously has stated that they do not wish to receive telephone solicitation calls (Va. Code §59.1-514(D)).
Any person who is aggrieved by a violation of this law is entitled to initiate an action for injunctive relief and to recover damages in the amount of $500 for a first violation, $1,000 for a second violation, and $5,000 for each subsequent violation. For a wilful violation, the court may, in its discretion, increase the amount of damages awarded to up to $5,000. In addition to any damages, reasonable attorney fees and court costs may also be rewarded (Va. Code §59.1-515). The AG may also bring an enforcement action to enjoin a violation of this law and recover damages for aggrieved persons in the amount of $500 for a first violation, $1,000 for a second violation, and $5,000 for each subsequent violation, or up to $5,000 for each wilful violation (Va. Code §59.1-517).
It is an affirmative defence if the defendant has established and implemented, with due care, reasonable practices and procedures to effectively prevent telephone solicitation calls in violation of this law, including using, in accordance with applicable federal regulations, a version of the National Do Not Call Registry obtained from the administrator of the registry no more than 31 days prior to the date any telephone solicitation call is made (Va. Code §59.1-517).
See section 2.1. above regarding Virginia's CDPA, which requires controllers to provide reasonably accessible, clear, and meaningful privacy notices that include certain specified content (§59.1-578(C) of the CDPA).
See section 2.1. above regarding Virginia's CDPA, which requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data (§59.1-578(A)(3) of the CDPA).
In addition, certain other laws described in this Guidance Note include data security requirements. Virginia has also enacted the Virginia Information Technologies Agency Act, under Chapter 20.1 of Part C of Subtitle I of Title 2.2 of the Va. Code, which governs the duties of the chief information officer of Virginia as they relate to the security of government information. This law requires such chief information officer to provide technical guidance to the Department of General Services in the development of policies, standards, and guidelines for the recycling and disposal of computers and other technology assets and requires policies, standards, and guidelines to include the expunging of all confidential data and personal identifying information of citizens of Virginia prior to such sale, disposal, or other transfer of computers or other technology assets.
Virginia has also enacted laws that require notification in the event of certain data security breaches, as described in this overview.
10.1. Student Records and Personal Information
In addition, §23.1-405 of Chapter 4 of Subtitle II of Title 23.1 of the Va. Code permits a public or private institution of higher education to require any student who attends, or any applicant who has been accepted to and has committed to attend such institution, to provide, from the originating secondary school and, if applicable, any institution of higher education they have attended, a complete student record, including any mental health records held by the previous school or institution. However, it is required that the records be kept confidential pursuant to state and federal law, including the federal FERPA. Additionally, Va. Code §23.1-405 protects student privacy by restricting disclosure of student directory information, prohibiting the sale of student personal information, and prohibiting requiring a student to disclose the username or password to their personal social media accounts.
Moreover, §22.1-289.01 of Article 5 of Chapter 14 of Title 22.1 of the Va. Code also includes specific provisions that apply to a business providing online school services. 'School service' is defined as a website, mobile application, or online service that is designed and marketed primarily for use in elementary or secondary schools, is used at the discretion of teachers or employees of primary or secondary schools or a school-affiliated entity, and collects, maintains, or shares student personal information. These provisions include a number of requirements, such as the requirement to provide clear, easy-to-understand information about the information they collect and how the information is maintained, used, or shared. These provisions also include a number of prohibitions, such as a prohibition on using or sharing student personal information for the purpose of targeted advertising to students. These provisions also permit school service providers to engage in a number of activities, including using student personal information for adaptive or personalised learning and maintaining, developing, or improving the school service. No duty is imposed on any online marketplace to review a school service provider offering its service for sale on the marketplace to ensure its compliance with these provisions. Also, no liability is imposed on an interactive computer service for content provided by another individual, and no student is prohibited from downloading, exporting, transferring, saving, or maintaining their personal information.
Va. Code §22.1-287.04 also prohibits the Department of Education and local school boards from requiring students or parents of students enrolled in public elementary or secondary schools or receiving home instruction to provide the students' social security numbers.
10.2. Unauthorised use of a person's name or picture
§18.2-216.1 of Article 8 of Chapter 6 of Title 18.2 of the Va. Code prohibits the use of a person's name, portrait, or picture for advertising purposes or for the purposes of trade without the person's prior written consent. If the person is dead, prior written consent must be obtained from the surviving consort and if none, from the next of kin. If the person is a minor, prior written consent must be obtained from their parent or guardian. A person may bring a lawsuit for equitable relief and actual damages. For knowing violations, a jury, in its discretion, may award punitive damages. In addition, under Virginia criminal law, a violation is a misdemeanour subject to a fine of $50 to $1,000.
10.3. Motor vehicle recording devices
§46.2-1088.6 of Article 10 of Chapter 10 of Subtitle III of Title 46.2 of the Va. Code prohibits access to data recorded on a motor vehicle recording device, except by the motor vehicle owner or with the owner's consent. There are several exceptions to this prohibition, including when access is required to perform a contract with the owner of the motor vehicle or when an emergency response provider requires access to provide emergency response.
10.4. Use of Photo Speed Monitoring Devices
§46.2-882.1 of Article 8 of Chapter 8 of Subtitle III of Title 46.2 of the Va. Code includes requirements and restrictions with respect to information collected by a photo speed monitoring device, including use limitations and protection requirements.
10.5. Government Data Collection and Dissemination Practices Act
Virginia's Government Data Collection and Dissemination Practices Act ('GDCDPA'), under §2.2-3800 et seq. of Chapter 38 of Title 2.2 of the Va. Code, requires state agencies maintaining an information system that includes personal information to collect, maintain, use, and disseminate such personal information only as permitted by law, or as necessary to accomplish a proper purpose of the agency. It applies to state agencies and includes a variety of privacy protections relating to collection and use, disclosure, access and correction, data retention, and security of personal information (Va. Code §2.2-3800 to §2.2-3808.1).
Any aggrieved person may institute a proceeding for injunction or mandamus against any person or agency that has engaged, is engaged, or is about to engage in any acts or practices in violation of the GDCDPA. Additional remedies are available for certain wilful and knowing violations by a specific public officer, appointee, or employee of an agency (Va. Code §2.2-3809).
10.6. Protection of social security numbers in FOIA disclosures
§2.2-3815 of Chapter 38.1 of Part B of Subtitle II of Title 2.2 of the Va. Code prohibits disclosure of the first five digits of a social security number contained in a public record disclosure under the Virginia FOIA. Va. Code §2.2-3815 includes several exceptions, such as disclosure in accordance with a proper judicial order.
10.7. Computer invasion of privacy and other crimes
Va. Code §18.2-152.5 makes it unlawful to use a computer or computer network and intentionally view any employment, salary, credit or any other financial or identifying information without the authority to do so. However, it is not unlawful to collect information that is reasonably needed to:
- protect the security of a computer, computer service, or computer business, or to facilitate diagnostics or repair in connection with such computer, computer service, or computer business; or
- determine whether the computer user is licensed or authorised to use specific computer software or a specific computer service.
Virginia has enacted a number of additional criminal statutes prohibiting activities that may result in violating a person's privacy. For example, Va. Code §18.2-152.4 makes it unlawful to maliciously install computer software that records keystrokes made on a computer without the computer owner's authorisation, and the Wiretap Law, under §19.2-61 et seq.of Chapter 6 of Title 19.2 of the Va. Code, makes it unlawful to intentionally intercept, attempt to intercept, or procure another person to intercept any wire, electronic, or oral communication, unless the person is a party to the communication or one of the parties to the communication has given prior consent to the interception.
Certain of these criminal laws may also provide for civil actions. For example, under the Wiretap Law, a civil action is available for a person whose wire, electronic, or oral communication has been unlawfully intercepted. A person may recover actual damages, but not less than liquidated damages of $400 per day of violation or $4,000, whichever is greater. The liquidated damages increase to $800 per day of violation or $8,000, whichever is greater, if the intercepted communication is between a husband and a wife; an attorney and a client; a licensed practitioner of the healing arts and a patient; a specified licensed counsellor, social worker, psychologist, or therapist and their client; or a clergy member and a person seeking spiritual counselling or advice. The person may also be awarded punitive damages, reasonable attorney fees, and other reasonably incurred litigation costs. Good faith reliance on a court order or legislative authorisation is a complete defence to a civil or criminal action brought under the Wiretap Law (Va. Code §19.2-69).