Skip to Content

Virginia Amends Data Breach Statute to Add Notification Requirement for Breach of Payroll Data.

Tax scams remain a vexing problem for companies and individual taxpayers. On February 2, 2017, the IRS issued a second alert to employers warning of the increasing threat of W-2 phishing schemes. You can view the alert here. The IRS issued a similar alert on March 1, 2016, which is posted here.

Scam first appeared in 2016

The IRS has indicated that the W-2 scam, which first appeared last year, is circulating earlier in the tax season this year and to a broader number of organizations. In this scam, cybercriminals use spoofing techniques to disguise an email to make it appear as if it is from an executive of the organization. The email is then sent to an employee in the payroll or human resources department of the organization and requests a list of all employees and their W-2 forms.

College falls victim

The scam has already claimed victims in 2017. On February 15, 2017, Virginia Wesleyan College released a notice advising that the 2016 W-2 tax form information of its employees had been sent that day to an unauthorized third party in response to an email scam. The information was sent by an employee who believed the email was a legitimate internal request. College officials immediately notified the FBI, IRS, state taxing authorities, and affected employees.

Virginia amends notification requirements

One state recently addressed this issue by amending its existing data breach notification statute to ensure that state authorities are promptly notified of the breach of payroll data. On March 13, 2017, Virginia Governor Terry McAuliffe approved amendments to the state’s data breach notification statute (Va. Code Ann. § 18.2-186.6). The new amendments require employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Notification is required even if the breach does not otherwise trigger the statute’s requirement that the company notify residents of the state of the breach. The notice to the Attorney General's office must include the affected employer or payroll service provider’s name and federal employer identification number. Upon receipt of such notice, the Attorney General's office must notify the state’s Department of Taxation of the breach.

The new law amends § 18.2-186.6 by adding a new subpart M that provides as follows:

Notwithstanding any other provision of this section, any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld … shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this subsection applies only to information regarding the employer's employees, and does not apply to information regarding the employer's customers or other non-employees.

Such employer or payroll service provider shall provide the Office of the Attorney General with the name and federal employer identification number of the employer … that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Office of the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.

Notification must be provided under the new Virginia law even if the breach was not the result of the type of scam targeted in the 2016 and 2017 IRS alerts. The amendments to the Virginia law are effective July 1, 2017. A copy of the new law is available here.

Companies and individual taxpayers should remain vigilant and exercise care in responding to any request for copies of W-2 forms.