Liisa M. Thomas, Robert H. Newman, and Eric J. Shinabarger of Winston Strawn LLP write:
With little fanfare, Virginia recently amended its data breach notification law, requiring employers and payroll service providers to notify the Virginia Attorney General if they are subject to a W2 phishing scam. More specifically, the law requires that they notify the Virginia AG if they discover “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withhold for an individual” if there is compromise to the data and it will cause identity theft or fraud. This requirement is the first of its kind, and will be effective July 1, 2017.
Read more on Lexology.