Virginia Imposes New Breach Notification Requirements on Tax Preparers
On Friday, March 9, 2018, Virginia Governor Ralph Northam signed H.B. 183, which imposes data breach notification requirements on certain tax preparers. The bill, introduced by Delegate Hala S. Ayala, had unanimous support in both the Virginia House and Senate. The bill was passed, in part, in response to the fact that tax preparers previously did not have to provide notification to Virginia’s tax regulators if unencrypted and unredacted confidential tax return information was subject to unauthorized access and acquisition.
The bill, which goes into effect July 1, 2018, creates a new section under the Virginia Code (Va. Code Ann. § 58.1-341.2) separate from the state’s main data breach notification statute and obligates “Signing Income Tax Return Preparers” who sign and prepare income tax returns for Virginia residents to provide notice to the Virginia Department of Taxation in the event of unauthorized access and acquisition of “return information” that the tax preparer maintains which creates the “reasonable belief” that the information could cause identity theft or other fraud. There are several notable components of the bill:
- The bill only applies to “signing” income tax return preparers, meaning those preparers who have the primary responsibility and/or oversight for the accuracy of the tax return;
- The bill defines “return information” to include a taxpayer’s identity and the nature, source, or amount of his or her income, payments, receipts, deductions, exemptions, credits, assets liabilities, net worth, tax liability, tax withheld, assessments, or tax payments. This definition does not include publicly available information.
- The bill does not cover instances where an individual’s “personal information”—e.g. an individual’s name in combination with an unencrypted or unredacted Social Security number; driver’s license or state identification card number; or financial, credit card, or debit card number and the means to access the account—is affected by a data security incident. Instead, a signing income tax preparer would still need to comply with Virginia’s main data breach notification statute (Va. Code Ann. § 18.2-186.6) if such data were subject to unauthorized access and acquisition.
- The bill requires tax preparers to provide the Department of Taxation with the name and taxpayer ID of any affected individual, as well as certain information about the tax preparer;
- The bill does not require consumer (taxpayer) notification in the event that an individual’s return information has been affected by a data breach;
- The bill does not require notification to the Department of Taxation unless the affected information is unencrypted and unredacted; and
- The bill requires such notice to the Department of Taxation be made “without unreasonable delay after the discovery or notification of unauthorized access and acquisition.”
Like Virginia’s primary data breach notification statute, the bill requires notice to be made when particular data is subject to unauthorized “access and acquisition.” It thus appears that mere access of return information is not sufficient to trigger notification requirements; instead, such information must also be acquired in order for the notification requirements under the bill to be triggered. Nonetheless, it is best to assume that a tax preparer would need to provide notice where access is demonstrated, unless it can be affirmatively shown that cyber thieves did not have the ability to simultaneously copy or exfiltrate data.
Though the provisions of the bill will go into effect this summer, potentially affected “signing income tax return preparers” who have clients in the Old Dominion should review and revise their breach response protocols to ensure that procedures are in place by July 1, 2018, to ensure that the Department of Taxation is promptly notified of any data security incident that affects the return information of any commonwealth residents.
Lewis Brisbois’ data privacy and cybersecurity attorneys are available to assist preparers with assessing their breach response protocols as well as responding to any data security incident that may require consumer or regulatory notification under Virginia laws as well as the other 47 state data breach notification regimes.