On March 13, 2017, Virginia Governor Terry McAuliffe approved SB 1033. The bill, effective July 1, 2017, amends Virginia's data breach notification law to include certain payroll data (Va. Code Ann. § 18.2-186.6). In particular, the amendment requires employers and payroll service providers to notify the state's attorney general without unreasonable delay when an employer or payroll service provider discovers or is notified of unauthorized access and acquisition of unencrypted or unredacted computerized data containing a taxpayer identification number, in combination with that taxpayer's income tax withheld, that both:

Notably, notification must be made even if the breach does not otherwise trigger the statute's notification obligations to affected individuals. The employer or payroll provider must also confidentially provide the attorney general with the name and federal employer identification number of the employer that may be affected by the compromise.