Virginia Code 38.2-629: Exceptions.
A. The following exceptions shall apply to this article:
Terms Used In Virginia Code 38.2-629
- Cybersecurity event: means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information in the possession, custody, or control of a licensee or an authorized person. See Virginia Code 38.2-621
- HIPAA: means the federal Health Insurance Portability and Accountability Act (Virginia Code 38.2-621
- Information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Virginia Code 38.2-621
- Licensee: means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the Commonwealth. See Virginia Code 38.2-621
- Nonpublic information: means information that is not publicly available information and is:
1. See Virginia Code 38.2-621
1. A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of § 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of §§ 38.2-624 and 38.2-626.
2. An employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from §§ 38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.
3. A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to §§ 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of § 38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution’s adoption of an information security program that satisfies the Interagency Guidelines.
B. If a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.
2020, c. 264.