Bill > HB954

Introduced Session

Cybersecurity; care and disposal of customer records; security for connected devices. Requires any business to take all reasonable steps to dispose of, or arrange for the disposal of, customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable. The measure requires any business that owns, licenses, or maintains personal information about a customer to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. A violation of these requirements constitutes a prohibited practice under the Virginia Consumer Protection Act. The measure also requires a manufacturer of a device or other physical object that is capable of connecting directly or indirectly to the Internet to (i) equip the device with reasonable security features, (ii) demonstrate conformity with industry standards for cybersecurity and resiliency, (iii) provide an opt-in forum or registration capability to allow consumers to know when a vulnerability or breach is discovered, (iv) make patch notification and end-of-life support events easily obtainable by registered users of the manufacturer's connected devices, and (v) when it is aware of existing vulnerabilities that put more than 500 users at risk, notify the office of the Chief Information Officer of the Commonwealth and provide remediation steps to consumers without unreasonable delay. The bill has a delayed effective date of January 1, 2021. Cybersecurity; care and disposal of customer records; security for connected devices. Requires any business to take all reasonable steps to dispose of, or arrange for the disposal of, customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable. The measure requires any business that owns, licenses, or maintains personal information about a customer to implement and maintain reasonable security procedures and practices appropriate to the nature of the information in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. A violation of these requirements constitutes a prohibited practice under the Virginia Consumer Protection Act. The measure also requires a manufacturer of a device or other physical object that is capable of connecting directly or indirectly to the Internet to (i) equip the device with reasonable security features, (ii) demonstrate conformity with industry standards for cybersecurity and resiliency, (iii) provide an opt-in forum or registration capability to allow consumers to know when a vulnerability or breach is discovered, (iv) make patch notification and end-of-life support events easily obtainable by registered users of the manufacturer's connected devices, and (v) when it is aware of existing vulnerabilities that put more than 500 users at risk, notify the office of the Chief Information Officer of the Commonwealth and provide remediation steps to consumers without unreasonable delay. The bill has a delayed effective date of January 1, 2021.

AI Summary

Committee Categories

Hala Ayala (D)*, 

Left in Communications, Technology and Innovation (on 12/04/2020)

Official Document