Cyber incident reporting law takes effect in Virginia

A new law gives all agencies and local governments 24 hours to report cybersecurity incidents to Virginia's fusion center.
Glenn Youngkin speaks during an election-night rally at the Westfields Marriott Washington Dulles on Nov. 2, 2021 in Chantilly, Virginia. (Anna Moneymaker / Getty Images)

A new law that took effect in Virginia last week requires the commonwealth’s agencies and local governments to report cybersecurity incidents within 24 hours of detection.

Senate Bill 764, which passed the Virginia General Assembly with near-unanimous support in March and was signed by Gov. Glenn Youngkin the following month, requires every public body in the state to report all events that compromise data security, expose protected information or disrupt IT systems to the Virginia Fusion Intelligence Center, an interagency facility led by the Virginia State Police.

“Cybersecurity is a priority of critical importance for the Commonwealth of Virginia.”

Aliscia Andrews, Youngkin’s deputy secretary of cybersecurity

The law adds Virginia to a growing list of states to impose reporting requirements on agencies and local governments. As incidents like ransomware have stacked up for years, cybersecurity officials and analysts have often been frustrated by the lack of requirements for certain organizations — like school districts — to acknowledge attacks that compromise the data of citizens, customers and students. Any reports are to be shared with the commonwealth’s chief information officer, according to the text of the legislation.


“Cybersecurity is a priority of critical importance for the Commonwealth of Virginia, as is focused coordination of government of all levels and entities,” Aliscia Andrews, Youngkin’s deputy secretary of cybersecurity, said in a press release.

The law also puts CIO Bob Osmond in charge of a working group, composed of state and local officials, to refine incident-reporting practices and deliver revised guidelines to the legislature by Nov. 15.

Many states have in the past two years imposed new cyber incident reporting requirements as governments nationwide attempt to increase their information-sharing abilities. Since the start of 2021, Indiana, New Hampshire and West Virginia have also imposed new incident reporting requirements on state agencies and localities, according to the National Association of State Legislatures.

At the federal level, a law President Joe Biden signed in March requires critical infrastructure owners and operators to report any major hacks or ransomware payments to the Cybersecurity and Infrastructure Security Agency.

In addition to the new reporting law, Virginia also enacted a measure that adds more private-sector slots to the state’s Information Technology Advisory Council, a board that advises officials on tech policy. It also added cybersecurity to the board’s purview.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts