Virginia Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Virginia made national history in March 2021 when it became the second state in the country — after California — to enact a comprehensive consumer data privacy law. The Virginia Consumer Data Protection Act (VCDPA), signed by Governor Ralph Northam and effective January 1, 2023, established Virginia as a leader in state-level privacy regulation. But the VCDPA is only one piece of Virginia's cybersecurity compliance landscape. Businesses operating in the Commonwealth must also navigate breach notification requirements, government data collection rules, and — for the state's enormous defense contractor community — federal frameworks like CMMC that carry Virginia-specific implications.

This guide provides a detailed breakdown of every major cybersecurity and data privacy law affecting Virginia businesses. Whether you are a technology company in Tysons, a healthcare system in Richmond, or a defense subcontractor in Hampton Roads, understanding these requirements is essential. The Virginia data breach timeline demonstrates what happens when compliance fails, and the stakes continue to rise as enforcement activity increases.

Virginia Data Privacy and Cybersecurity Laws

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA, codified at Va. Code Sections 59.1-575 through 59.1-585, was enacted as SB 1392 during the 2021 legislative session and took effect on January 1, 2023. It applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents and that either (a) control or process personal data of at least 100,000 Virginia consumers during a calendar year, or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Key provisions of the VCDPA include:

• Consumer rights: Virginia residents have the right to access, correct, delete, and obtain a portable copy of their personal data. They also have the right to opt out of the processing of personal data for targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects.

• Data protection assessments: Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, processing of sensitive data, and profiling.

• Sensitive data consent: Processing sensitive data — including racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic or biometric data, children's data, and precise geolocation — requires the consumer's opt-in consent.

• Privacy notice requirements: Controllers must provide a reasonably accessible, clear privacy notice that discloses the categories of personal data processed, the purposes of processing, how consumers may exercise their rights, and the categories of third parties with whom data is shared.

• Processor contracts: Controllers must establish contracts with data processors that govern data processing instructions, confidentiality, subprocessor engagement, and audit rights.

VCDPA Enforcement and Penalties

The VCDPA is enforced exclusively by the Virginia Attorney General. There is no private right of action. Before pursuing enforcement, the AG must provide a 30-day cure period during which the business can remedy the alleged violation. If the violation is not cured, the AG may seek injunctive relief and civil penalties of up to $7,500 per violation. The Virginia AG's office has indicated that enforcement will focus on willful or repeated violations and that good-faith compliance efforts will be considered.

Virginia Breach Notification Law (Va. Code Section 18.2-186.6)

Virginia's breach notification statute requires any individual or entity that owns or licenses computerized data containing personal information of Virginia residents to notify affected individuals of a breach of that data without unreasonable delay after discovery. Personal information is defined as an individual's first name or first initial and last name combined with one or more of the following: Social Security number, driver's license or state ID number, or financial account number with any required security code or password.

The statute was amended in 2022 to add a requirement that breaches affecting more than 1,000 Virginia residents must also be reported to the Office of the Attorney General. Notification to individuals must include a description of the incident, the type of personal information compromised, contact information for the entity, and contact information for the three major credit reporting agencies. Substitute notice through website posting and major media is permitted if the cost of direct notice would exceed $50,000, the affected class exceeds 100,000 individuals, or the entity lacks sufficient contact information.

Virginia Government Data Collection and Dissemination Practices Act

The Government Data Collection and Dissemination Practices Act (Va. Code Sections 2.2-3800 through 2.2-3809) governs how Virginia state and local government agencies collect, maintain, use, and disseminate personal information. It requires agencies to collect only personal information that is necessary and relevant to their authorized functions, maintain the information with accuracy and completeness, and establish safeguards to protect against unauthorized access. While this law primarily applies to government entities, it affects contractors and vendors who handle government data on behalf of Virginia agencies.

Virginia Computer Crimes Act

The Virginia Computer Crimes Act (Va. Code Sections 18.2-152.1 through 18.2-152.16) criminalizes unauthorized access to computer systems, computer fraud, malicious use of computer networks, and computer invasion of privacy. The statute provides both criminal penalties — ranging from misdemeanor to felony depending on the conduct and damages involved — and a civil cause of action allowing victims to recover damages and attorney's fees. Notably, Virginia was one of the first states to enact computer crime legislation, originally passing the law in 1984.

VCDPA Compared to Other State Privacy Laws

The VCDPA is frequently compared to the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act. Understanding the differences is important for organizations operating across multiple states:

• No private right of action: Unlike the CCPA, which allows consumers to sue for certain data breaches, the VCDPA limits enforcement to the Attorney General. This significantly reduces class action litigation risk for Virginia businesses.

• Narrower applicability thresholds: The VCDPA's 100,000-consumer or 25,000-consumer-plus-revenue thresholds mean that many smaller businesses fall outside its scope, unlike the CCPA which uses a $25 million revenue threshold or 50,000 consumers.

• Opt-in for sensitive data: The VCDPA requires affirmative opt-in consent for sensitive data processing, while the CCPA uses an opt-out model for most data categories.

• 30-day cure period: The VCDPA's mandatory cure period before the AG can seek penalties is more business-friendly than the CCPA's framework, where the cure provision for private actions has expired.

Industry-Specific Compliance in Virginia

Virginia's economic composition means that many organizations face layered compliance requirements that combine state laws with federal and industry-specific frameworks.

CMMC — Defense Contractors

Virginia hosts more Department of Defense contractors than any other state. Companies in Northern Virginia and the Hampton Roads region handling controlled unclassified information (CUI) must achieve Cybersecurity Maturity Model Certification (CMMC) compliance under the Department of Defense's updated requirements. CMMC 2.0 Level 2 requires implementing all 110 security controls in NIST SP 800-171 and undergoing third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). For the thousands of Virginia defense subcontractors, CMMC compliance is not a regulatory nicety — it is a contractual prerequisite for doing business with the DoD. Many of these firms benefit from managed IT services that specialize in NIST and CMMC alignment.

HIPAA — Healthcare Organizations

Virginia's healthcare systems, including Inova, Sentara, and VCU Health, must comply with both HIPAA and Virginia's breach notification law. Virginia's breach notification definition of personal information is broader in some respects than HIPAA's definition of protected health information, which means healthcare organizations must track compliance against both frameworks. Virginia does not have a state medical privacy statute as expansive as some states, but the combination of HIPAA and state breach notification requirements creates meaningful compliance obligations. Healthcare IT security partnerships are common among Virginia providers seeking to meet these dual requirements.

FedRAMP — Cloud Service Providers

Many Virginia technology companies, particularly those in the Northern Virginia data center corridor, provide cloud services to federal agencies. These organizations must achieve Federal Risk and Authorization Management Program (FedRAMP) authorization, which requires implementing NIST SP 800-53 controls, undergoing a third-party assessment, and maintaining continuous monitoring. The density of FedRAMP-authorized cloud providers in Virginia reflects the state's role as the primary data center hub for the federal government.

Building a Virginia Compliance Program

For Virginia businesses navigating multiple compliance requirements, a risk-based approach is most effective:

• Map your data: Identify what personal data you collect, where it is stored, who has access, and how it flows through your organization. This data inventory is the foundation for VCDPA compliance, breach notification readiness, and CMMC assessment preparation.

• Assess your obligations: Determine which laws and frameworks apply to your organization based on the type of data you handle, the number of Virginia consumers you serve, and any industry-specific requirements like CMMC or HIPAA.

• Implement controls: Deploy technical and administrative controls aligned with NIST frameworks. For VCDPA, focus on consent management, privacy notices, and data subject request processes. For breach notification, ensure you have detection and response capabilities that support timely notification.

• Document everything: The VCDPA requires data protection assessments, and CMMC requires a System Security Plan. Maintain documentation that demonstrates your compliance efforts — this is critical both for regulatory defense and for the 30-day cure period if the AG identifies a violation.

• Train your workforce: Employees are the front line of both security and privacy compliance. Conduct regular training on data handling procedures, phishing recognition, and incident reporting protocols.

Virginia small businesses that lack dedicated compliance staff often benefit from partnering with managed service providers who understand the state's regulatory landscape and can provide ongoing monitoring and compliance management.

Frequently Asked Questions

Does the VCDPA apply to small businesses?

The VCDPA applies to entities that process personal data of at least 100,000 Virginia consumers annually, or process data of at least 25,000 consumers and derive more than 50% of gross revenue from data sales. Many small businesses fall below these thresholds and are therefore not subject to the VCDPA's requirements. However, all Virginia businesses that handle personal information are still subject to the state's breach notification law under Va. Code Section 18.2-186.6, regardless of size.

What is the penalty for violating the VCDPA?

The Virginia Attorney General can impose civil penalties of up to $7,500 per violation of the VCDPA. However, the AG must first provide a 30-day cure period, during which the business can remedy the violation to avoid penalties. Enforcement is exclusively through the AG's office — there is no private right of action, meaning consumers cannot file individual lawsuits under the VCDPA.

How does Virginia's breach notification law differ from HIPAA?

Virginia's breach notification law (Va. Code 18.2-186.6) applies to all entities that handle personal information of Virginia residents, regardless of industry. HIPAA applies specifically to covered entities and their business associates in healthcare. The definitions of protected information differ between the two frameworks, and HIPAA requires notification within 60 days while Virginia requires notification without unreasonable delay. Healthcare organizations in Virginia must comply with both, applying whichever standard is more protective in each specific area.

Are defense contractors in Virginia subject to the VCDPA?

Defense contractors handling personal data of Virginia consumers may be subject to the VCDPA if they meet the threshold requirements. However, data processed pursuant to federal contracts and governed by federal law may be exempt from certain VCDPA provisions. The more pressing compliance obligation for Virginia defense contractors is typically CMMC, which governs their handling of controlled unclassified information for the Department of Defense and carries contractual rather than statutory penalties — loss of the contract itself.

When did the VCDPA take effect?

The VCDPA took effect on January 1, 2023. Virginia was the second state in the country to enact a comprehensive consumer data privacy law, following California's CCPA. The law was signed by Governor Ralph Northam on March 2, 2021, as SB 1392, giving businesses nearly two years to prepare for compliance before the effective date.

Does Virginia require a Data Protection Officer?

The VCDPA does not explicitly require the appointment of a Data Protection Officer (DPO), unlike the European Union's GDPR. However, the law does require controllers to conduct data protection assessments and respond to consumer rights requests, which in practice requires designating someone within the organization to manage privacy compliance. Many Virginia businesses, particularly those also subject to CMMC or FedRAMP, designate a privacy or compliance officer to coordinate across all applicable frameworks.