Virginia Enacts Nation’s First Payroll Data Breach Notification Law

On March 13, Virginia Governor Terry McAuliffe approved an amendment to Virginia’s data breach notification law that, as of July 1, 2017, will require employers and payroll service providers to notify the Virginia Office of the Attorney General of unauthorized access to employees’ W-2 information. The Virginia legislature enacted the law in response to IRS warnings concerning email phishing scams targeting sensitive taxpayer information. The statute is the first of its kind in the nation, but given the publicity surrounding payroll phishing scams, it likely will not be the last. Fortunately, employers can take steps now to guard against phishing scams and other cyberattacks.

What Employers and Payroll Service Providers Need To Know About the Amendment

The amendment requires employers and payroll service providers to notify the Virginia Office of the Attorney General of “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer” when the employer or service provider reasonably believes that the incident has caused or will cause identity theft or other fraud. The Attorney General is required to notify the Virginia Department of Taxation upon receipt of notification from the employer or service provider.

Significantly, the requirement to notify the Attorney General applies even in cases where businesses are not required to notify affected Virginia residents.

Steps To Take Now To Prevent Data Breach

The new payroll data breach notification law is just another reminder that employers should be taking active steps to protect their data.

Limit Access. Companies should limit access to payroll and other sensitive data to those employees who need the data to perform their jobs. Limiting access significantly reduces the likelihood that a company will become the victim of a phishing attempt. Likewise, well-communicated IT usage and bring-your-own-device (BYOD) policies can help ensure that sensitive data is accessed only by authorized employees through approved applications.

Educate  Employees. Employers must train employees on how to recognize and avoid phishing attempts. Employees should be instructed to always get verbal confirmation that any request for payroll or other personnel data is valid, even when the request appears to be from the CEO of the company. Simply taking the time to verify the authenticity of a request could save a company thousands of dollars in breach remediation expenses and attorney's fees.

Don’t Forget Vendors. Companies that outsource payroll or other HR functions need to exercise due diligence when selecting vendors to deal with this sensitive data. Vendors should be contractually obligated to train employees on privacy and security matters, adopt effective information security programs, and maintain cyber liability insurance to help manage risk.

Prepare for a Breach. No matter how many precautions a company takes, it is impossible to completely eliminate the risk of a cyberattack. Advanced planning can go a long way toward minimizing exposure and reducing costs in the event of a breach. Developing a customized security incident response plan can save time and promote efficiency by allowing management to think through crucial issues before a crisis. Companies should also consider investing in robust cyber liability insurance to cover expenses such as call center staffing and credit monitoring for affected individuals.


With the proliferation of scams targeting employees’ most sensitive personal information, employers must implement appropriate safeguards to protect employee data. Education and advanced planning can greatly reduce a company’s risk and place it in a favorable position in the event a breach does occur.


Angela R. Matney is a founding member of Hirschler Fleischer’s Cybersecurity and Data Privacy Group and is a Certified Information Privacy Professional. She may be reached at 540.604.2117 or