With little fanfare, Virginia recently amended its data breach notification law, requiring employers and payroll service providers to notify the Virginia Attorney General if they are subject to a W2 phishing scam. More specifically, the law requires that they notify the Virginia AG if they discover “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withhold for an individual” if there is compromise to the data and it will cause identity theft or fraud. This requirement is the first of its kind, and will be effective July 1, 2017. Upon receipt of notification—which should include name and the employer’s federal identification number—the AG’s office will notify the Department of Taxation.
If the incident does not otherwise trigger Virginia’s breach notification obligations, then no other notification other than this one (to the AG) is required. Such a situation might be, for example, if the information impacted was only a taxpayer ID and income tax withheld, without the name of the impacted individual or a social security number, since the Virginia law defines triggering information as name and social security number. Another example would be if the information impacted was name and an individual taxpayer identification number rather than a social security number.
The IRS recently issued a warning to employers to remain vigilant for such attacks.
TIP: Companies who suffer a W2 phishing scam should keep this new Virginia requirement in mind. While many companies who suffer such an incident may already notify the IRS, post July 1 they will now need to consider whether notice to the Virginia AG is warranted.