The Virginia General Assembly is underway and several privacy related bills are on the legislative agenda for 2018. The Virginia legislature will consider approximately 3,000 bills during its 60-day session that will end in early March. Several of these pending bills have privacy implications in a variety of substantive areas.
Tax Return Data
In an attempt to further address the growing problem of criminals filing fraudulent tax returns after stealing the identities of unsuspecting taxpayers, companion bills are pending in the House of Delegates and Virginia Senate that impose a breach notification duty on state tax return preparers, as defined in Va. Code Ann. § 58.1-302. This legislation follows the adoption last year of a requirement that employers and payroll service providers provide a breach notification to the Attorney General of Virginia when such entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).
The bills this year appear to be a further expansion of the Department of Taxation’s attempt to combat criminals filing fraudulent tax returns. Specifically, the bills require state tax return preparers to notify the Virginia Department of Tax “without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” In such circumstances, the tax return preparer is required to provide the Department of Tax with certain information about the preparer and the taxpayer. (HB183 (pending); SB271 (pending)).
Net Neutrality at the State Level
While the debate concerning “net neutrality” rages at the federal level, one Virginia lawmaker has introduced two bills aimed at instituting a state-based approach to neutrality. The first bill prohibits companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a user’s ability to access broadband internet access. The bill also limits broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. (SB948)
The second bill on the same topic takes a more targeted approach. The bill proposes to limit state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Specifically, SB949 prohibits internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill prohibits such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law enforcement activities.
Additional bills related to privacy include (partial listing):
- Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588 (pending)
- Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted of, any crime (a.k.a. “ban-the-box”). SB252 (pending); HB1357 (pending)
- Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240 (pending)
- Allowing the use of drones by law enforcement without obtaining a warrant under certain circumstances. HB1290 (pending)
- Prohibiting the disclosure under Virginia’s open record laws information contained in engineering and construction drawings and plans for single-family residences that are submitted to local governments for building code purposes. HB683 (pending)
- Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law enforcement officer except pursuant to a search warrant. HB604 (defeated)
- Eliminating the ability of credit reporting agencies to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB16; SB18; SB22; SB95 (pending; partial listing)
- Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1 (pending); HB147 (pending)
- Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39 (pending)
While the largest number of privacy related bills this legislative session concern the ability of consumers to freeze their credit reports without a fee, there are a host of other bills to monitor that have important consequences for consumers and privacy professionals.