VACo needs your assistance in analyzing the impact of SB 764 (Barker) and HB 1290 (Hayes). We encourage you to consult with your Information Technology staff and risk insurance providers to analyze the potential impact of these bills to your county.
SB 764 and HB 1290 would require every public body, including local governments, to report to the Chief Information Officer (CIO) of the Commonwealth all known incidents that threaten the security of the Commonwealth’s data or communications or result in exposure of data protected by federal or state laws and all other incidents compromising the security of the public body’s information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. The bills would require such reports to be made to the CIO within 24 hours from when the incident was discovered. These bills were introduced at the request of the Virginia IT Agency (VITA).
After consultation with Risk Insurance Providers, VACo has concerns that such a mandatory reporting bill would interfere with existing reporting and cybersecurity attack responses provided through VACoRP or other insurers. These concerns stem primarily from the short reporting time which could coincide with an ongoing cyberattack, the value of the data reported, and the security of said information. VACo has urged the patrons that a study of this issue involving all relevant stakeholders be conducted to make informed recommendations to the General Assembly.
HB 1290 is docketed to be heard in the House Communications, Technology, and Innovations Committee Monday, January 31 at 10 a.m. Please forward any information on potential impact to firstname.lastname@example.org.
VACo Contact: Jeremy R. Bennett