Virginia passes a first-of-its-kind amendment in reaction to popular payroll tax scams.
Breach Notification Laws are constantly evolving and reacting to the perils of cyber threats and vulnerabilities. Two of the most recent regulatory updates (NYDFS & VA) show specific reactions to the rapidly changing security threats.
One prominent threat impacting legislation is the increasing persistence of W-2 scams. The W-2 scams have raised the issue of cybersecurity beyond the common stereotype that breaches only occur to large retailers. With this employee-focused social engineering scheme, organizations large and small in all industries are now targets.
This threat was recently addressed through an amendment to Virginia’s data breach notification law. Virginia amended their notification requirements by expanding the types of data requiring notification and adding the requirement for state authorities to be promptly notified of a breach of payroll data.
As recent at March 13, 2017, Virginia’s governor approved the amendment requiring employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Once the Attorney General’s office receives notice, the Office of the AG must then notify the state’s Department of Taxation of the breach.
Existing state law requires that an entity or individual that owns, maintains, or possesses personal information of Virginia residents, and who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, must report the unauthorized breach to the Office of the Virginia Attorney General, and also must provide notification to each affected Virginia resident.
How is this amendment different?
This new notification requirement stands even if the organization is not required by the statute to notify affected residents of the state of the breach. Therefore, this amendment not only expands the definition of types of data that require notification, but requires notification of this data even if the same circumstances would not currently trigger the notification requirement of individuals.
Additionally, the notice to the Attorney General’s office requires additional details from the organization, including the affected employer or payroll service provider’s name and federal employer identification number. This notice to the Office of the AG must be made “without unreasonable delay”
When is this effective?
These amendments to the Virginia law are effective July 1, 2017.
Practical Application: Employee Awareness & Training
Companies and individual taxpayers should remain vigilant and exercise care in responding to any request for copies of W-2 forms. Employees are often an organization’s weakest link leading to a data breach. Training employees on data security best practices and awareness of potential risks and consequences of such threats can greatly reduce security risks.
ePlace Solutions provides a series of training courses on Social Engineering, including Spear-Phishing attacks such as the W-2 Scam. If you’re reading our newsletter, it’s likely your organization has access to these training courses through your cyber insurance policy. Reach out to firstname.lastname@example.org to take advantage of your free training resources for your workforce.