SECURITY ADDENDUM - ENTERPRISE

VIRGINIA JURISDICTIONAL VERSION

This Security Addendum ("Addendum") is entered into as of [__/__/____] ("Effective Date") by and between:

CUSTOMER:
Name: [________________________________]
Address: [________________________________]
City, State, ZIP: [________________________________]
("Customer" or "Controller")

SERVICE PROVIDER:
Name: [________________________________]
Address: [________________________________]
City, State, ZIP: [________________________________]
("Provider" or "Processor")

This Addendum is incorporated into and made part of the Master Agreement dated [__/__/____] between Customer and Provider (the "Agreement"). In the event of any conflict between this Addendum and the Agreement, this Addendum shall control with respect to data security matters.

ARTICLE 1: DEFINITIONS

1.1 "Authorized Personnel" means Provider's employees, contractors, and agents who have a legitimate business need to access Customer Data and who have undergone background screening and security training.

1.2 "Customer Data" means all data, including Personal Information and Sensitive Data, provided by or on behalf of Customer to Provider, or collected, processed, or stored by Provider on Customer's behalf.

1.3 "Data Breach" or "Security Incident" means any unauthorized access to, acquisition of, or disclosure of Customer Data, or any other event that compromises the security, confidentiality, or integrity of Customer Data.

1.4 "Personal Information" has the meaning set forth in Va. Code § 18.2-186.6, including an individual's first name or first initial and last name in combination with any of the following: (i) social security number; (ii) driver's license number or state identification card number; (iii) financial account number or credit/debit card number with required security code; (iv) passport number; or (v) military identification number.

1.5 "Sensitive Data" has the meaning set forth in Va. Code § 59.1-575, including data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data.

1.6 "VCDPA" means the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.

1.7 "Security Standards" means the security controls, measures, and practices set forth in this Addendum.

ARTICLE 2: DATA SECURITY REQUIREMENTS AND CONTROLS

2.1 General Security Obligation. Provider shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Customer Data, as required by Va. Code § 59.1-578. Such practices shall be appropriate to the volume and nature of the Customer Data processed.

2.2 Security Framework. Provider shall maintain a comprehensive information security program aligned with one or more of the following frameworks:

☐ NIST Cybersecurity Framework (CSF) 2.0
☐ ISO/IEC 27001:2022
☐ SOC 2 Type II
☐ Other recognized framework: [________________________________]

2.3 Security Controls. Provider shall implement and maintain the following minimum security controls:

(a) Administrative Controls:
- Written information security policies and procedures
- Designated security officer or team responsible for security program
- Risk assessment procedures conducted at least annually
- Security awareness training for all personnel
- Incident response plan and procedures
- Change management procedures
- Vendor/third-party risk management program

(b) Technical Controls:
- Malware and antivirus protection with regular updates
- Intrusion detection and prevention systems
- Security information and event management (SIEM)
- Data loss prevention (DLP) technologies
- Secure software development lifecycle (SDLC) practices
- Regular vulnerability scanning and penetration testing
- Logging and monitoring of system access and activities

(c) Operational Controls:
- Documented security procedures for all critical operations
- Regular review and testing of security controls
- Separation of duties for critical functions
- Secure disposal procedures for media and equipment

ARTICLE 3: PHYSICAL SECURITY MEASURES

3.1 Facility Security. Provider shall maintain physical security measures at all facilities where Customer Data is processed or stored, including:

(a) Access Controls:
☐ Controlled entry points with authentication required
☐ Visitor management and escort procedures
☐ Access logs maintained for minimum of [____] months
☐ Badge/key card access systems with individual accountability
☐ Biometric access controls for sensitive areas

(b) Environmental Controls:
☐ Fire detection and suppression systems
☐ Climate control systems (HVAC) for equipment areas
☐ Uninterruptible power supply (UPS) systems
☐ Backup power generation capabilities
☐ Water/flood detection systems

(c) Surveillance and Monitoring:
☐ 24/7 video surveillance of entry points and sensitive areas
☐ Surveillance recordings retained for minimum of [____] days
☐ Security personnel on-site or on-call 24/7
☐ Alarm systems with monitoring services

3.2 Data Center Requirements. If Customer Data is stored in data centers, such facilities shall maintain:
- Minimum Tier [____] data center classification (Uptime Institute or equivalent)
- SOC 2 Type II certification or equivalent
- Geographic location within: [________________________________]

ARTICLE 4: NETWORK AND SYSTEM SECURITY

4.1 Network Security. Provider shall implement and maintain:

(a) Perimeter Security:
- Enterprise-grade firewalls with stateful inspection
- Network segmentation separating Customer Data from other systems
- Demilitarized zones (DMZ) for public-facing services
- Web application firewalls (WAF) for web-based applications

(b) Network Monitoring:
- Real-time network traffic monitoring
- Anomaly detection capabilities
- Network-based intrusion detection/prevention systems (IDS/IPS)
- Regular network vulnerability assessments

(c) Wireless Security:
- WPA3 or current industry-standard encryption for wireless networks
- Segregation of guest and corporate wireless networks
- Wireless intrusion detection systems
- Regular wireless security assessments

4.2 System Security. Provider shall maintain:

(a) System Hardening:
- Documented baseline configurations for all system types
- Removal or disabling of unnecessary services, ports, and protocols
- Regular application of security patches within:
- Critical patches: [____] hours/days of release
- High-severity patches: [____] days of release
- Other patches: [____] days of release

(b) Endpoint Security:
- Endpoint detection and response (EDR) solutions
- Host-based firewalls on all endpoints
- Full-disk encryption on all portable devices
- Mobile device management (MDM) for company devices accessing Customer Data

ARTICLE 5: ACCESS CONTROL REQUIREMENTS

5.1 Access Management. Provider shall implement access controls including:

(a) Identity Management:
- Unique user identification for all personnel
- Strong authentication mechanisms (minimum [____]-character passwords with complexity requirements)
- Multi-factor authentication (MFA) required for:
☐ All remote access
☐ Administrative/privileged access
☐ Access to Customer Data
☐ Cloud service administration
- Prohibition on shared or generic accounts for accessing Customer Data

(b) Authorization:
- Role-based access control (RBAC) implementation
- Principle of least privilege applied to all access grants
- Documented access approval processes
- Segregation of duties for sensitive functions

(c) Access Reviews:
- Quarterly review of user access rights
- Immediate revocation upon termination or role change
- Annual recertification of privileged access
- Monitoring of privileged account usage

5.2 Remote Access. All remote access to systems containing Customer Data shall:
- Utilize encrypted VPN or equivalent secure connection
- Require multi-factor authentication
- Be logged and monitored
- Be limited to Authorized Personnel with documented business need

5.3 Third-Party Access. Provider shall:
- Maintain documented procedures for granting third-party access
- Require third parties to comply with equivalent security controls
- Monitor and log all third-party access
- Revoke access immediately upon contract termination

ARTICLE 6: ENCRYPTION STANDARDS

6.1 Encryption at Rest. All Customer Data stored by Provider shall be encrypted using:

(a) Minimum Standards:
- Algorithm: AES-256 or equivalent NIST-approved algorithm
- Key length: Minimum 256-bit for symmetric encryption
- Storage encryption: Full-disk encryption or database-level encryption
- Backup encryption: All backups encrypted to same standards

(b) Key Management:
- Hardware security modules (HSMs) for key protection where feasible
- Documented key management procedures
- Regular key rotation schedule: [________________________________]
- Secure key storage separate from encrypted data
- Key recovery procedures with appropriate controls

6.2 Encryption in Transit. All Customer Data transmitted shall be encrypted using:

(a) Transport Layer Security:
- Minimum TLS 1.2; TLS 1.3 preferred
- Strong cipher suites only (no deprecated algorithms)
- Certificate-based authentication for system-to-system communications
- Perfect forward secrecy (PFS) enabled

(b) Application-Level Encryption:
- API communications secured with TLS/HTTPS
- Email encryption for sensitive communications
- File transfer encryption for batch data exchanges

6.3 Encryption Exceptions. Any exceptions to encryption requirements must be:
- Documented in writing
- Approved by Customer in advance
- Subject to compensating controls
- Reviewed quarterly for continued necessity

ARTICLE 7: VULNERABILITY MANAGEMENT

7.1 Vulnerability Assessment. Provider shall conduct:

(a) Automated Scanning:
- Network vulnerability scans: Minimum [____] frequency
- Web application scans: Minimum [____] frequency
- Database vulnerability scans: Minimum [____] frequency
- Container/cloud configuration scans: Minimum [____] frequency

(b) Penetration Testing:
- External penetration testing: Annually or upon significant changes
- Internal penetration testing: Annually
- Web application penetration testing: Annually
- Testing conducted by qualified independent third party

7.2 Remediation Requirements. Provider shall remediate identified vulnerabilities according to the following timelines:

7.3 Vulnerability Reporting. Provider shall provide Customer with:
- Executive summary of vulnerability assessments upon request
- Notification of critical vulnerabilities within [____] hours of discovery
- Quarterly vulnerability status reports
- Annual penetration test executive summaries

ARTICLE 8: INCIDENT RESPONSE PROCEDURES

8.1 Incident Response Plan. Provider shall maintain a documented incident response plan that includes:
- Incident classification and severity levels
- Roles and responsibilities of response team
- Communication procedures (internal and external)
- Evidence preservation procedures
- Escalation procedures
- Post-incident review processes

8.2 Incident Detection and Analysis. Provider shall:
- Maintain 24/7 security monitoring capabilities
- Investigate suspected incidents within [____] hours of detection
- Preserve all relevant logs and evidence
- Document all incident response activities

8.3 Incident Notification to Customer. Provider shall notify Customer of any Security Incident affecting Customer Data:

(a) Initial Notification:
- Timing: Within [____] hours of discovery
- Method: [________________________________]
- Contact: [________________________________]

(b) Notification Content:
- Nature and scope of the incident
- Types of Customer Data potentially affected
- Immediate containment measures taken
- Ongoing investigation status
- Recommended protective measures for Customer

(c) Ongoing Updates:
- Status updates every [____] hours during active incidents
- Written incident report within [____] days of containment

ARTICLE 9: DATA BREACH NOTIFICATION - VIRGINIA REQUIREMENTS

9.1 Compliance with Va. Code § 18.2-186.6. In the event of a Data Breach involving Personal Information of Virginia residents, Provider shall comply with all requirements of Va. Code § 18.2-186.6, including:

(a) Notification Timing:
- Notification to affected individuals without unreasonable delay
- Notification may be delayed only as necessary to determine scope and restore system integrity
- Notification may be delayed at law enforcement request if it would impede investigation

(b) Attorney General Notification:
- If breach affects Virginia residents, notify the Virginia Attorney General
- If breach affects more than 1,000 persons, notify consumer reporting agencies

(c) Notification Content: Notice shall include:
- Description of the incident in general terms
- Type of Personal Information subject to unauthorized access
- Actions taken to protect Personal Information from further unauthorized access
- Telephone number and address for further information
- Toll-free numbers and addresses for consumer reporting agencies
- Toll-free number, address, and website for the Virginia Attorney General

9.2 Provider Breach Response Obligations. Provider shall:

(a) Immediately notify Customer of any suspected or confirmed Data Breach
(b) Cooperate with Customer in investigating the breach
(c) Provide Customer with information needed to make required notifications
(d) Bear the costs of notification, credit monitoring, and remediation where breach resulted from Provider's failure to comply with this Addendum
(e) Coordinate with Customer before any public statements regarding the breach

9.3 Breach Response Support. Upon Customer's request, Provider shall provide:
- Forensic investigation support
- Call center services for affected individuals
- Credit monitoring services for affected individuals: [____] months minimum
- Identity theft protection services

ARTICLE 10: AUDIT RIGHTS AND COMPLIANCE VERIFICATION

10.1 Right to Audit. Customer shall have the right to audit Provider's compliance with this Addendum, subject to the following:

(a) Audit Scope:
- Security policies, procedures, and controls
- Technical security measures
- Physical security at facilities processing Customer Data
- Personnel security practices
- Subcontractor compliance

(b) Audit Procedures:
- Customer shall provide [____] days' written notice for scheduled audits
- Audits conducted during normal business hours
- Audits limited to [____] per calendar year (unless breach occurs)
- Customer may use qualified third-party auditors subject to confidentiality agreements
- Emergency audits permitted immediately following a Security Incident

10.2 Audit Cooperation. Provider shall:
- Provide reasonable access to facilities, systems, and personnel
- Make relevant documentation available for review
- Respond to audit inquiries within [____] business days
- Provide copies of relevant third-party audit reports (SOC 2, ISO 27001, etc.)

10.3 Third-Party Certifications. Provider shall maintain and provide copies of:

☐ SOC 2 Type II Report (annually)
☐ ISO/IEC 27001 Certification
☐ PCI DSS Compliance (if processing payment data)
☐ HITRUST Certification (if processing health data)
☐ FedRAMP Authorization (if applicable)
☐ Other: [________________________________]

10.4 Remediation of Audit Findings. Provider shall:
- Develop remediation plans for identified deficiencies within [____] days
- Remediate critical findings within [____] days
- Remediate high-risk findings within [____] days
- Provide evidence of remediation to Customer

ARTICLE 11: SUBCONTRACTOR AND SUBPROCESSOR REQUIREMENTS

11.1 Subprocessor Approval. Provider shall not engage any subcontractor or subprocessor to process Customer Data without:

(a) Prior written approval from Customer; or
(b) Providing Customer with [____] days' advance notice and opportunity to object

11.2 Current Subprocessors. Provider's current subprocessors authorized to process Customer Data are listed in Exhibit A attached hereto.

11.3 Subprocessor Agreements. Provider shall ensure all subprocessors are bound by written agreements that:
- Impose data protection obligations no less protective than this Addendum
- Require compliance with applicable Virginia law, including VCDPA
- Grant Customer audit rights over subprocessor activities
- Require notification of any changes in subprocessor's security posture

11.4 Subprocessor Oversight. Provider shall:
- Conduct initial security assessments of all subprocessors
- Perform annual security reviews of subprocessors
- Monitor subprocessor compliance with security requirements
- Maintain records of subprocessor assessments available for Customer review

11.5 Liability for Subprocessors. Provider shall remain fully liable for the acts and omissions of its subprocessors as if performed by Provider itself.

ARTICLE 12: EMPLOYEE TRAINING REQUIREMENTS

12.1 Security Awareness Training. Provider shall ensure all personnel with access to Customer Data complete:

(a) Initial Training:
- Security awareness training within [____] days of hire/access grant
- Role-specific security training for technical personnel
- Training on applicable privacy laws including VCDPA

(b) Ongoing Training:
- Annual security awareness refresher training
- Phishing awareness training minimum [____] times per year
- Training updates following significant security incidents or policy changes

12.2 Training Content. Training shall address:
- Information security policies and procedures
- Data handling and classification requirements
- Password and authentication security
- Phishing and social engineering awareness
- Physical security requirements
- Incident reporting procedures
- Privacy and data protection requirements
- VCDPA compliance requirements

12.3 Training Records. Provider shall:
- Maintain records of all training completion
- Track training compliance rates
- Provide training completion reports to Customer upon request

12.4 Background Checks. Provider shall conduct background checks on all personnel with access to Customer Data, including:
- Criminal history check
- Employment verification
- Reference checks
- Additional screening as appropriate for role sensitivity

ARTICLE 13: BUSINESS CONTINUITY AND DISASTER RECOVERY

13.1 Business Continuity Plan. Provider shall maintain a documented business continuity plan that includes:
- Business impact analysis
- Recovery strategies for critical systems
- Communication procedures during disruptions
- Roles and responsibilities during events
- Regular testing and updates

13.2 Disaster Recovery Requirements. Provider shall maintain disaster recovery capabilities meeting the following objectives:

13.3 Backup Requirements. Provider shall:
- Perform regular backups of Customer Data per agreed schedule
- Encrypt all backup media using standards in Article 6
- Store backups in geographically separate location from primary systems
- Test backup restoration: Minimum [____] frequency
- Maintain backup logs and verification records

13.4 Testing. Provider shall:
- Test disaster recovery procedures: Minimum annually
- Test business continuity plans: Minimum annually
- Conduct tabletop exercises: Minimum [____] frequency
- Provide test results to Customer upon request

13.5 Notification. Provider shall notify Customer within [____] hours of any event requiring activation of business continuity or disaster recovery plans.

ARTICLE 14: DATA RETENTION AND DESTRUCTION

14.1 Data Retention. Provider shall:
- Retain Customer Data only as long as necessary for the purposes specified in the Agreement
- Comply with Customer's data retention policies as provided in writing
- Not retain Customer Data beyond the retention period without Customer's written consent

14.2 Data Return. Upon termination or expiration of the Agreement, or upon Customer's written request:

(a) Provider shall return all Customer Data in a format and manner specified by Customer within [____] days

(b) Customer Data return shall include:
- All production data
- All backup copies
- All derivative data
- Data held by subprocessors

14.3 Data Destruction. Following confirmed return of Customer Data (or upon Customer's written instruction in lieu of return):

(a) Destruction Standards:
- Electronic media: NIST SP 800-88 compliant sanitization
- Physical media: Cross-cut shredding or incineration
- Cloud/virtual: Cryptographic erasure or secure deletion

(b) Destruction Timeline:
- Destruction within [____] days of return confirmation or instruction
- Written certification of destruction within [____] days of completion

(c) Destruction Certification. Provider shall provide written certification of destruction that includes:
- Date of destruction
- Description of data destroyed
- Method of destruction
- Name and title of person overseeing destruction

14.4 Exceptions. Provider may retain Customer Data after termination only if:
- Required by applicable law (with written notice to Customer)
- Contained in routine backup systems (subject to security requirements until destroyed)

ARTICLE 15: VCDPA COMPLIANCE PROVISIONS

15.1 Processor Obligations. As a processor under the VCDPA (Va. Code § 59.1-579), Provider shall:

(a) Processing Instructions:
- Process Customer Data only according to Customer's documented instructions
- Inform Customer if instructions violate applicable law
- Not process Customer Data for Provider's own purposes

(b) Confidentiality:
- Ensure all personnel processing Customer Data are bound by confidentiality obligations
- Limit access to Customer Data to Authorized Personnel

(c) Security:
- Implement appropriate technical and organizational measures per Va. Code § 59.1-578
- Assist Customer in meeting security obligations

(d) Consumer Rights Support:
- Assist Customer in responding to consumer rights requests under Va. Code § 59.1-577
- Provide necessary information within [____] business days of Customer request
- Not respond directly to consumers without Customer authorization

15.2 Data Protection Assessments. Provider shall cooperate with Customer's data protection assessments required under Va. Code § 59.1-580 by:
- Providing information about processing activities
- Assisting with risk assessments
- Implementing recommended safeguards

15.3 Sensitive Data Processing. If Provider processes Sensitive Data as defined in Va. Code § 59.1-575:
- Provider shall implement enhanced security measures
- Processing shall occur only with explicit consent obtained by Customer
- Provider shall notify Customer immediately of any Sensitive Data exposure

15.4 Children's Data. If Provider processes personal data of known children (under age 13):
- Provider shall comply with enhanced protections under VCDPA as amended
- Parental consent verification procedures shall be documented
- Additional safeguards shall be implemented as specified by Customer

15.5 Deletion and Return. At Customer's direction, Provider shall delete or return all Customer Data per Article 14, as required by Va. Code § 59.1-579.

15.6 Audit Cooperation. Provider shall make available to Customer all information necessary to demonstrate compliance with processor obligations under the VCDPA.

ARTICLE 16: INSURANCE REQUIREMENTS

16.1 Required Coverage. Provider shall maintain the following insurance coverage throughout the term of the Agreement:

16.2 Cyber Liability Coverage. Provider's cyber liability insurance shall include coverage for:
- Data breach response costs
- Notification expenses
- Credit monitoring services
- Forensic investigation costs
- Regulatory fines and penalties (where insurable)
- Business interruption
- Cyber extortion/ransomware
- Third-party claims

16.3 Insurance Requirements. All required insurance policies shall:
- Be issued by insurers rated A- or better by A.M. Best
- Name Customer as additional insured where applicable
- Include waiver of subrogation in favor of Customer
- Provide [____] days' written notice of cancellation or material change

16.4 Evidence of Insurance. Provider shall:
- Provide certificates of insurance upon request
- Provide certificates annually during the term
- Notify Customer within [____] days of any claim that may affect coverage

ARTICLE 17: REMEDIATION PROCEDURES

17.1 Non-Compliance Notification. If Provider becomes aware of any non-compliance with this Addendum, Provider shall:
- Notify Customer within [____] hours of discovery
- Provide details of the non-compliance
- Propose remediation measures
- Implement interim protective measures

17.2 Remediation Plan. Upon identification of any security deficiency or non-compliance:

(a) Provider shall develop a remediation plan within [____] business days that includes:
- Root cause analysis
- Specific corrective actions
- Timeline for completion
- Responsible parties
- Verification measures

(b) Customer shall have the right to review and approve remediation plans for material deficiencies

17.3 Remediation Timelines.

17.4 Remediation Verification. Provider shall:
- Document completion of remediation activities
- Provide evidence of remediation to Customer
- Implement controls to prevent recurrence
- Update policies and procedures as needed

17.5 Customer Remedies. If Provider fails to remediate material deficiencies within agreed timelines, Customer may:
- Conduct or commission independent assessment at Provider's expense
- Require implementation of additional controls
- Suspend data transfers until remediation is complete
- Terminate the Agreement for cause
- Exercise other remedies available under the Agreement or applicable law

ARTICLE 18: GENERAL PROVISIONS

18.1 Term. This Addendum shall remain in effect for the duration of the Agreement and shall survive termination with respect to any Customer Data retained by Provider.

18.2 Amendments. This Addendum may only be amended in writing signed by authorized representatives of both parties.

18.3 Governing Law. This Addendum shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without regard to conflict of laws principles.

18.4 Entire Agreement. This Addendum, together with the Agreement, constitutes the entire agreement between the parties with respect to data security and supersedes all prior agreements on this subject.

18.5 Severability. If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

18.6 Notices. All notices under this Addendum shall be in writing and delivered to the addresses set forth in the Agreement or as otherwise specified by the parties.

18.7 Waiver. No waiver of any provision of this Addendum shall be effective unless in writing and signed by the waiving party.

18.8 Counterparts. This Addendum may be executed in counterparts, each of which shall be deemed an original.

ARTICLE 19: EXECUTION

The parties have executed this Security Addendum as of the Effective Date.

CUSTOMER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SERVICE PROVIDER:

Signature: [________________________________]

Printed Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

EXHIBIT A: AUTHORIZED SUBPROCESSORS

EXHIBIT B: SECURITY CONTACT INFORMATION

Customer Security Contact:
Name: [________________________________]
Title: [________________________________]
Email: [________________________________]
Phone: [________________________________]
24/7 Emergency: [________________________________]

Provider Security Contact:
Name: [________________________________]
Title: [________________________________]
Email: [________________________________]
Phone: [________________________________]
24/7 Emergency: [________________________________]

Incident Notification Email: [________________________________]

EXHIBIT C: TECHNICAL SECURITY SPECIFICATIONS

Encryption Standards:
- Data at Rest: [________________________________]
- Data in Transit: [________________________________]
- Key Management: [________________________________]

Authentication Requirements:
- Password Policy: [________________________________]
- MFA Solution: [________________________________]
- Session Timeout: [________________________________]

Network Security:
- Firewall: [________________________________]
- IDS/IPS: [________________________________]
- VPN: [________________________________]

Monitoring and Logging:
- SIEM Solution: [________________________________]
- Log Retention: [________________________________]
- Monitoring Coverage: [________________________________]

VERIFICATION CHECKLIST

Prior to execution, the parties confirm review of the following:

☐ Master Agreement referenced and attached
☐ All blank fields completed or marked N/A
☐ Subprocessor list in Exhibit A is current and complete
☐ Security contacts in Exhibit B are current
☐ Technical specifications in Exhibit C are accurate
☐ Insurance certificates obtained and verified
☐ Virginia-licensed legal counsel has reviewed this Addendum
☐ Both parties have authority to execute

This Security Addendum incorporates Virginia-specific requirements under the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) and Virginia's data breach notification law (Va. Code § 18.2-186.6). Organizations should consult with qualified legal counsel to ensure compliance with all applicable federal, state, and local requirements.