small-logo
ProfessionalsCapabilitiesInsights & NewsCareersLocations
About UsAlumniOpportunity & InclusionPro BonoCorporate Social Responsibility
Stay Connected:
facebookinstagramlinkedintwitteryoutube
  1. Privacy & Data Security

Blog

Virginia Adds Requirements for Payroll Incidents to Breach Law

  • PDFPDF
    • Email
    • LinkedIn
    • Facebook
    • Twitter
    Share this page
  • PDFPDF
    • Email
    • LinkedIn
    • Facebook
    • Twitter
    Share this page

Blog

Virginia Adds Requirements for Payroll Incidents to Breach Law

  • PDFPDF
    • Email
    • LinkedIn
    • Facebook
    • Twitter
    Share this page

1 Min Read

Author

Eric Shinabarger

Related Locations

Chicago

Related Topics

Data Breach
Workplace Privacy

Related Capabilities

Privacy & Data Security

Related Regions

North America

March 28, 2017

With little fanfare, Virginia recently amended its data breach notification law, requiring employers and payroll service providers to notify the Virginia Attorney General if they are subject to a W2 phishing scam. More specifically, the law requires that they notify the Virginia AG if they discover “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withhold for an individual” if there is compromise to the data and it will cause identity theft or fraud. This requirement is the first of its kind, and will be effective July 1, 2017. Upon receipt of notification—which should include name and the employer’s federal identification number—the AG’s office will notify the Department of Taxation.

If the incident does not otherwise trigger Virginia’s breach notification obligations, then no other notification other than this one (to the AG) is required. Such a situation might be, for example, if the information impacted was only a taxpayer ID and income tax withheld, without the name of the impacted individual or a social security number, since the Virginia law defines triggering information as name and social security number. Another example would be if the information impacted was name and an individual taxpayer identification number rather than a social security number.

The IRS recently issued a warning to employers to remain vigilant for such attacks.

TIP: Companies who suffer a W2 phishing scam should keep this new Virginia requirement in mind. While many companies who suffer such an incident may already notify the IRS, post July 1 they will now need to consider whether notice to the Virginia AG is warranted. 

Related Professionals

Related Professionals

Eric Shinabarger

Eric Shinabarger

This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.

Logo
facebookinstagramlinkedintwitteryoutube

Copyright © 2025. Winston & Strawn LLP

AlumniCorporate Transparency Act Task ForceDEI Compliance Task ForceEqual Rights AmendmentLaw GlossaryThe Oval UpdateWinston MinutePrivacy PolicyCookie PolicyFraud & Scam AlertsNoticesSubscribeAttorney Advertising