Virginia § 38.2-629 Exceptions

Virginia Statutes

§ 38.2-629 — Exceptions

Virginia § 38.2-629

Title 38.2Insurance

Ch. 6Insurance Information and Privacy Protection

Art. 2Insurance Data Security Act

This text of Virginia § 38.2-629 (Exceptions) is published on Counsel Stack Legal Research, covering Virginia primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Va. Code Ann. § 38.2-629 (2026).

Text

A.The following exceptions shall apply to this article:

1.A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of § 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of §§ 38.2-624

Free access — add to your briefcase to read the full text and ask questions with AI

A. The following exceptions shall apply to this article:

1. A licensee subject to HIPAA that has established and maintains an information security program pursuant to such statutes, rules, regulations, or procedures established thereunder shall be considered to meet the requirements of § 38.2-623, provided that licensee is compliant with, and submits a written statement certifying its compliance with, the same, and certifies that it will protect nonpublic information not subject to HIPAA in the same manner it protects information that is subject to HIPAA, and any such licensee that investigates a cybersecurity event and notifies consumers in accordance with HIPAA and any HIPAA-established rules, regulations, or procedures shall be considered compliant with the requirements of §§ 38.2-624 and 38.2-626.

2. An employee, agent, representative or designee of a licensee, who is also a licensee, is exempt from §§ 38.2-623, 38.2-624, 38.2-625, and 38.2-626 and need not develop its own information security program or conduct an investigation of or provide notices to the Commissioner and consumers relating to a cybersecurity event, to the extent that the employee, agent, representative, or designee is covered by the information security program, investigation, and notification obligations of the other licensee.

3. A licensee affiliated with a depository institution that maintains an information security program in compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines) as set forth pursuant to §§ 501 and 505 of the federal Gramm-Leach-Bliley Act, P.L. 106-102, shall be considered to meet the requirements of § 38.2-623 and any rules, regulations, or procedures established thereunder, provided that the licensee produces, upon request, documentation satisfactory to the Commissioner that independently validates the affiliated depository institution's adoption of an information security program that satisfies the Interagency Guidelines.

B. If a licensee ceases to qualify for an exception, such licensee shall have 180 days from the date it ceases to qualify to comply with this article.