Virginia court examines whether sexual orientation is protected by federal law

by Corey Zoldan
DiMuroGinsberg PC

You might be surprised to learn that federal courts have not yet definitively decided whether Title VII of the Civil Rights Act of 1964, which prohibits discrimination based on sex, also prohibits discrimination based on sexual orientation. Recently, the U.S. district court in Lynchburg had the opportunity to address the issue but declined to do so, instead deciding the case before it on other grounds. However, the court’s opinion still provides important lessons for compliance with federal antidiscrimination law.


Carla Bee Spencer, an openly gay woman, worked as the deputy chief of police in the town of Bedford for eight months before she was terminated in August 2016. She claimed that while she was employed, her coworkers and her supervisor often ignored and openly resented her because she is a gay woman. She also asserted that she was paid less than comparable heterosexual male employees, and her supervisor clearly favored her heterosexual male coworkers.

After she was terminated, Spencer filed suit, arguing that the police department and the town of Bedford violated Title VII by discriminating against her on the basis of her sexual orientation. The text of Title VII prohibits employers from discriminating against employees “because of [their] . . . race, color, religion, sex or national origin.” The town asked the court to dismiss the lawsuit because Spencer failed to state a viable legal claim since sexual orientation isn’t protected under Title VII.

Court’s ruling

U.S. District Court Judge Norman K. Moon rejected the town’s argument and ruled the case should continue. The court found that Spencer had sufficiently alleged she was discriminated against, not just because she is gay, but because she is a gay woman. Accordingly, the district court reasoned that “for present purposes, it is unnecessary to determine whether Title VII prohibits discrimination based on sexual orientation because [Spencer], as a woman who experienced discrimination based on her gender, sufficiently alleges membership in a protected class.”

In reaching that conclusion, Judge Moon relied on one of the seminal U.S. Supreme Court opinions laying out the law prohibiting sex discrimination. That 1989 case, Price Waterhouse v. Hopkins, stands for the proposition that a Title VII claim exists even if the discrimination isn’t based “solely” on the employee’s sex. It’s sufficient that the employee’s sex contributed to the discrimination. Spencer v. Town of Bedford, Case No. 6:18-cv-31 (W.D.VA., Nov. 2, 2018).

Local laws afford protection

Because the federal prohibition against employment discrimination based on sexual orientation remains uncertain, aggrieved employees must look to state and local laws to find protection. The Commonwealth of Virginia has yet to pass any statutes affirmatively establishing sexual orientation as a characteristic protected from acts of discrimination by private-sector employers. However, state government employees are protected by an Executive Order issued by then-Governor Terry McAuliffe in 2014.

Both the city of Alexandria and Arlington County have enacted local ordinances that specifically prohibit employment discrimination based on sexual orientation. Charlottesville has also prohibited discrimination against its employees on the basis of sexual orientation. It remains to be seen whether other localities in Virginia will enact similar provisions banning sexual orientation discrimination.

Bottom line

When it comes to this gray area, you are well-advised to err on the side of caution. As the Spencer case shows, employees can claim that the discrimination they faced was based on a combination of their gender and their sexual orientation to state a viable claim that could lead to prolonged litigation. The time, money, and public relations nightmare that can result from a sexual orientation discrimination case often simply isn’t worth the legal fight.

Internal policies prohibiting sexual orientation discrimination can proactively prevent issues from occurring in the first place and will allow you to better deal with them internally if they do. Given the legal and practical complexities in this area of the law, it’s wise to consult with experienced employment counsel who can guide you to a solution that’s best for your company going forward.

Corey Zoldan is an attorney with DiMuroGinsberg PC and a contributor to Virginia Employment Law Letter. He may be reached at

ADA case tests limits of employee testing

by Corey Zoldan
DiMuroGinsberg PC

Regardless of its ultimate outcome, a still-developing disability case in federal court in Norfolk serves to emphasize that you need to proceed with caution when instituting tests—especially written tests—for current employees or job applicants. The case also highlights the critical distinction between a “disability” and an “inability” for purposes of being covered under the Americans with Disabilities Act (ADA).

The case

Rayford Gray worked for Columbia Gas of Virginia for 31 years. He started out as a laborer and later was promoted to service technician. In 2015, Columbia decided to institute a written test for all employees. Gray took the written test but failed it three times. Although he contended that he was still able to perform the essential aspects of his job, Columbia fired him.

Gray asked Columbia to reconsider its decision because his poor test results stemmed from the fact that he had attention deficit hyperactivity disorder (ADHD) and couldn’t read. The company refused, and in September 2018, Gray went to court. His lawsuit claims that Columbia discriminated against him based on his disability by not reinstating him after he made it aware he had ADHD and couldn’t read.

Unanswered questions

At this point, Columbia hasn’t responded to Gray’s lawsuit. But if the case isn’t dismissed or otherwise resolved, we can expect to learn more details as it proceeds.

Those details may include the scope of Gray’s disability and whether he was in fact still able to perform the essential functions of his job. Additionally, if he couldn’t perform the essential functions, then the issue becomes whether Columbia needed to—and could have—provided him with reasonable accommodations that would have enabled him to continue to do his work.

Is there a causal connection?

An interesting point that neither Gray nor Columbia has yet addressed is the connection between ADHD and the inability to read.
In 2012, the U.S. 4th Circuit Court of Appeals (which is based in Richmond and whose rulings apply to Virginia employers) considered whether ADHD is a disability. In that case, Halpern v. Wake Forest Univ. Health Science, the appeals court held that “ADHD and anxiety disorders constitute disabilities giving rise to protection under the . . . ADA.” In reaching that conclusion, the court reasoned that the ADA protects against any “mental or psychological disorder, such as . . . specific learning disabilities.” Clearly, that language includes ADHD and dyslexia.

The situation becomes trickier, however, if Gray’s ADHD and inability to read are unrelated. The Equal Employment Opportunity Commission (EEOC) has previously commented in the appendix to its ADA regulations that “disadvantages such as poverty, lack of education or a prison record are not impairments.” Thus, if a person is unable to read because of a poor education, that person isn’t disabled.

This distinction between disability and inability is likely to be an issue that will be developed as the case moves forward. In all likelihood, addressing the matter will require expert testimony about the nature and effects of ADHD and its impact on Gray’s ability to read and other cognitive functions. Gray v. Columbia Gas of Virginia, 2:18-cv-00475-HCM-LRL.

Avoiding ADA claims

While the distinction between ADHD and an inability to read might ultimately allow Columbia to prevail in the lawsuit, there are several proactive, preventive steps you can take to avoid disability discrimination lawsuits in the first place. The EEOC recommends that you offer an oral test as an alternative to a written test for employees who have a disability that hinders their ability to read. If administering the test in an alternative format isn’t a viable option, the EEOC suggests assessing the ability of a disabled applicant or employee “through an interview, or through education, license, or work experience requirements.”
Further, if the employee or job applicant first becomes aware of having a disability that could have affected the test results only after the test is given, which is what Gray claims, you should have a policy requiring him to inform you immediately. At that point, you should consider providing a retest if a reasonable accommodation is available. Bear in mind, however, that the EEOC says you aren’t required to accommodate when an employee seeks a retest for an “essential function of the position and no reasonable accommodation was available to enable the individual to perform that function, or the necessary accommodation would impose an undue hardship.”

Because an appropriate assessment of your obligations under the ADA involves a number of complex issues, it’s always wise to consult with experienced employment counsel to make sure you have addressed all the necessary factors and have a solid factual and legal basis for the actions you take.

Editor’s note: Because of the various important issues Gray’s lawsuit raises for all employers, we will monitor the legal proceedings and keep you informed of key developments as the case moves forward.

Corey Zoldan is an attorney with DiMuroGinsberg PC and a contributor to Virginia Employment Law Letter. He may be reached at

Who Owns Your Company’s Social Media Accounts?

It happens every day. An employee takes over the responsibility of managing the social media accounts for an organization. Maybe it’s even their full-time job. The employee uses those accounts to promote the business, yet it takes on a persona that closely resembles the employee. The employee uses their individual user id and password and before you know it, they’ve taken a kind of ownership of the social media accounts.

Where does this fall under the company property umbrella? You would think it would be very clear—the company owns its advertising media, no matter what form it takes, right? But, what about a social media profile and its content? It can be so personal to the individual producing the thoughts. It’s their perspective, even though it might be derived from company information. Where does that fall?

An article on the subject, by DiMuroGinsberg attorney Jayna Genti, appears in the September, 2018 issue of the Virginia Employment Law Letter. It discusses a case involving a Virginia newspaper that recently asked a Virginia federal judge to force a former reporter to turn over access and use of what the newspaper claims is the company’s Twitter account. The reporter felt he personally engaged readers and subscribers to the account and followers to his reporting in particular. He felt it was something he could take with him to his next paper.

If you would like to obtain a copy of Jayna’s article entitled “Who Owns Your Company’s Social Media Accounts?”, or if you would like to subscribe to the Virginia Employment Law Letter, please contact Stephanie West at

Download the full “Who owns your company’s social media accounts?” article here.

Avoiding the Pitfalls of Leave under the ADA/FMLA

By: Jonathan R. Mook
As published by, a division of BLR, in the Virginia Employment Law Letter

Dealing with employees on Family and Medical Leave (FMLA) always is tricky. You can incur liability for interfering with an employee’s leave rights as well as for retaliating against an employee for seeking to exercise those rights or taking FMLA leave. Additionally, oftentimes an employee who qualifies for FMLA leave due to a serious health condition also may be disabled under the Americans with Disabilities Act (ADA). In this circumstance, you have two federal laws to worry about.

To help sort through these issues, we have asked DiMuroGinsberg partner, Jonathan R. Mook, who is a nationally recognized authority on the ADA and leave issues, to provide our readers guidance on how to avoid both FMLA and ADA claims.

Is it permissible to terminate an employee who is on FMLA leave?

The answer is “yes,” but proceed with care and caution.  Sometimes, while an employee is out on FMLA leave, the employer discovers that the employee has not been doing his or her job or has been engaged in some type of workplace misconduct that would justify termination. In this circumstance, the FMLA allows an employer to terminate the employee because it is a reason other than the employee’s taking or being entitled to the leave.  Bear in mind that any evidence of poor performance or misconduct should be sufficiently documented. That way, if, and when, an FMLA complaint with the Department of Labor or a lawsuit is filed, you will be able to present evidence that the basis for the employee’s termination was other than the employee’s taking (or need for) FMLA leave.

Even if it is permissible, do you advise the termination for misconduct of employees on FMLA leave?

I usually advise employers to wait and allow the employee to complete his or her FMLA leave.  When the employee returns to work, then the employer can confront the employee with the information that the employer has obtained while the employee was out.  During the meeting with the employee, the employer should ask the employee if there is any excuse for the employee’s misconduct or any mitigating factors.  If there are not, the employer can then take a job action.

When is it permissible to terminate an employee who has been on FMLA leave and has returned to work?

Again, it is permissible to terminate an employee for reasons other than the taking of FMLA leave (or the need for such leave), such as poor performance or misconduct.  The law does not require you to keep an unqualified or disruptive employee. The only circumstance in which an employer should consider letting an employee go for reasons relating to FMLA leave would be if the employee has falsified the FMLA documentation that the employee submitted to the employer to be approved for FMLA leave.  If an employee engages in fraud with respect to the taking of FMLA leave (for example, taking FMLA leave to go on vacation rather than for medical treatment), then the employer has a basis for termination.

What steps should an employer take to prepare for the possibility that an FMLA leave request will be followed by a need for an ADA reasonable accommodation?

Normally, it is the responsibility of the disabled employee to request a need for an ADA accommodation.  An employer need not anticipate an accommodation request.  However, where an employee has a serious health condition that rises to the level of an ADA disability, an employee may request leave for medical treatment and, possibly, recuperation.  If the employee is entitled to FMLA leave, the employer will provide the employee with the 12 weeks of FMLA leave (or longer under certain state laws).  After the FMLA leave expires, the employee may be entitled to additional leave as a reasonable accommodation under the ADA.

What is the EEOC’s position on leave as an ADA accommodation?

The U.S. Equal Employment Opportunity Commission (EEOC) has said that leave for medical treatment is a type of reasonable accommodation and that an employer may need to extend the leave until it becomes an undue hardship on the employer’s operations.  However, not all courts agree with the EEOC’s analysis.  In an opinion authored by Judge (now Justice) Neil Gorsuch, the Tenth Circuit Court of Appeals in its 2014 decision in Hwang v. Kansas State University said that an employer was not required to provide an employee suffering from cancer additional time off after the employer had already granted six months of paid leave.  Recently, in Severson v. Heartland Woodcraft, Inc., the Seventh Circuit said that a request for leave of several months over and above the twelve weeks of FMLA leave was not required as an ADA accommodation.

If additional leave is not granted, must the employer consider alternative accommodations?

Importantly, even if the accommodation of a multi-month leave of absence is not required under the ADA, you still need to explore other accommodations to allow a disabled employee to return to work following the expiration of that employee’s FMLA leave.  Such accommodations could be the elimination of those marginal job functions that the employee cannot perform or transferring the employee to a vacant position that the employee can perform notwithstanding the employee’s limitations caused by the disability.  You need to think ahead to take into account these possibilities. Unfortunately, there is not one easy answer. To make sure you have checked all the boxes, it always is advisable to consult with experienced employment counsel.

Jonathan R. Mook is a nationally recognized authority on the Americans with Disabilities Act and is a co-editor of the Virginia Employment Law Letter. For questions regarding this article or other employment law issues, you may contact Jonathan at

Is It OK To Fire An Employee For A False Harassment Report?

Federal anti-discrimination law generally protects an employee who reports discriminatory conduct, including sexual harassment at work. However, do the legal protections apply when an employee knowingly makes a false report of being harassed?

Recently, the Fourth Circuit Court of Appeals (whose rulings apply to all Virginia employers) answered this question with a definitive “no.” An article discussing the Fourth Circuit’s decision by DiMuroGinsberg attorney, Jayna Genti, appears in the August, 2017 issue of the Virginia Employment Law Letter. As Jayna’s article explains, the focus of analysis as to whether an employer acted unlawfully is on the employer’s subjective motivation for the action it took. If the employer’s subjective motivation was prompted by its belief that the report of harassment was knowingly false, then the employer may not be liable for illegal retaliation.

If you would like to obtain a copy of Jayna’s article entitled “Fourth Circuit: It’s OK to Fire Employee for False Harassment Report,” please contact Michele Kraftschik at

Fourth Circuit Revives FMLA Claims

Written by Jayna Genti

The Family and Medical Leave Act (“FMLA”) generally requires employers of 50 or more employees to allow their employees to take up to 12 weeks of unpaid leave for medical reasons, for the birth or adoption of a child, or for the care of a child, spouse, or parent who has a serious health condition.  A question arises, however, as to who is the “employer” for FMLA purposes where two or more businesses or entities exercise control over the working conditions of the employees, such as where a company outsources its payroll and administrative functions to a staffing firm.  In that case, there would be a primary and secondary  employer of the employees, which have overlapping obligations under the statute. This principle is illustrated by a recent Fourth Circuit decision involving the City of Alexandria.

Quintana’s Employment

In 2011, Monica P. Quintana (“Quintana”) began working for the City of Alexandria (“City”) answering phone calls from residents and directing callers to the appropriate City department.  Approximately a year later, the City contracted with Randstad US, L.P. (“Randstad”) to administer the payroll and perform related administrative functions for Quintana’s position.

The City characterized Randstad as Ms. Quintana’s new employer and told her to complete portions of a Randstad employment application form.  The City, however, also presented the change as a condition of Quintana’s continued employment with the City and told Quintana that all other aspects of her employment would remain the same.

For the remainder of Quintana’s time in her position, Randstad’s role remained limited to payroll and related administrative functions.  Quintana continued to report to City supervisors regarding all matters not related to payroll, and the City continued to control Quintana’s job title, compensation, work schedule, job functions and day-to-day work duties.

Quintana Takes Leave

On January 9, 2014, Quintana learned that her husband had been hospitalized and was in a coma. Later that day, Quintana asked her supervisor, Lisa Baker, who was a City employee, if she could take leave starting the next day to care for her husband.  Baker told Quintana that she could take leave without losing her job, as long as she was not gone for more than three months.  No one at the City indicated that Quintana was required to notify or obtain approval from Randstad to take leave.  Nonetheless, Quintana still notified Randstad that she was taking leave to care for her husband, with permission from the City.

On January 10, Quintana requested any necessary Family and Medical Leave Act (“FMLA”) forms from the City.  The City never provided Quintana with the forms or any notice about her rights and responsibilities under the FLMA.  After Quintana commenced her leave, she updated her supervisors and co-workers at the City regarding her husband’s condition and the status of her leave.

Quintana’s Termination

On January 16, Quintana notified Baker that she hoped to return to work soon.  However, on January 17, Baker emailed Quintana indicating that because the City had not heard from her in over a week, the City had replaced her.  This email was the only notice of Quintana’s termination.  Quintana sought reinstatement or alternative employment numerous times from the City and from Randstad, but without success.

The Lawsuit

Quintana sued the City and Randstad in Alexandria federal district court, asserting violations of the FMLA.  Quintana claimed that the City, as her primary employer, and Randstad, as her secondary employer, both denied her rights under the FMLA and retaliated or discriminated against her for exercising those rights.  In the alternative, Quintana claimed that Randstad was her primary employer and the City was her secondary employer.

Both the City and Randstad asked the district court to dismiss the case, contending that Quintana’s complaint failed to allege any FMLA violations.  In addressing the City’s request, the federal court assumed that the City was the secondary employer of Quintana and concluded that she had not alleged sufficient facts in her complaint to state a claim against the City.

Quintana appealed the decision to the Fourth Circuit Court of Appeals , which is based in Richmond, and whose decisions apply to the federal courts in Virginia, as well as those in West Virginia, Maryland, and North and South Carolina.

Fourth Circuit Decision

In addressing Quintana’s appeal, the Fourth Circuit explained that under the FMLA, only the primary employer is responsible for giving required notices to employees seeking leave, providing FMLA leave, and restoring the employee to his or her old job following FMLA leave.  By contrast, the secondary employer has a so-called “conditional reinstatement obligation” and is responsible only for accepting the employee returning from FMLA leave.  Both primary and secondary employers, however, are liable for “interference” and “retaliation” under the FMLA.  Additionally, in determining which of two joint employers is the primary employer, the Fourth Circuit said that a court should focus on which employer has the authority or responsibility to (1) hire and fire, (2) assign or place the employee, (3) make payroll, and (4) provide employment benefits.

In considering whether Quintana’s complaint stated an FMLA claim against the City as a primary employer, the Fourth Circuit emphasized that “[i]t is not fatal to Ms. Quintana’s complaint that all factors do not strongly indicate that the City is her primary employer.”  In her complaint, Quintana alleged that (1) the City had the authority and responsibility to hire and fire her and to assign or place her, (2) the City determined her compensation, and (3) the City unilaterally interviewed, hired, assigned, evaluated, and terminated her.  In light of these allegations, the Fourth Circuit ruled that Quintana had sufficiently alleged that the City was her primary employer and, therefore, had the responsibility to provide FMLA leave and restore her to her job following leave.

Moreover, even if the City were a secondary employer, the Fourth Circuit found that Quintana had alleged numerous instances of conduct by the City that could establish that it unlawfully interfered with, or denied, her FMLA benefits.  Such interference included failing to give proper notice or approval of Quintana’s request for FMLA leave, failing to restore Quintana to her phone answering position or to a substantially equivalent position, and terminating Quintana’s employment while she was on FMLA qualifying leave.

Finally, the Court found that the January 17 email from Baker terminating Quintana because she took leave sufficiently demonstrated that the City terminated Quintana because she engaged in activity protected by the FMLA.  The Fourth Circuit’s decision is Quintana v. City of Alexandria, No. 16-1630 (4th Cir. June 6, 2017).

 The Takeaway

If you are an employer covered by the FMLA, prudence dictates that you should comply with the requirements of the statute whether you believe you should be classified as a primary employer or a secondary employer.  This is true for two reasons.  First, because the determination of primary versus secondary employment is predicated on a fact-based analysis, which requires weighing a number of factors, the outcome of the analysis can change over the course of an employee’s tenure.  Accordingly, rather than having to engage in a new evaluation each time one of the various factors changes, it usually is much easier to assume that all of the FMLA obligations apply.  Second, both primary and secondary employers are responsible for ensuring that they do not interfere with, or retaliate against, an employee who seeks to exercise his or her FMLA rights.

Thus, the safest route for you is not to rely on a specific employer designation as being primary or secondary, but, instead, to comply to the best of your ability with all the requirements of the FMLA that are under your control.  And, when in doubt, it always is wise to consult with legal counsel experienced in these matters to avoid the possibility that a lawsuit will be filed against you, as occurred with the City of Alexandria.

Editor’s Note:   A discussion of best practices to follow in outsourcing various business functions may be found in the article “Avoiding Employment Problems When You Decide to Outsource,” by DiMuroGinsberg partner, Milton Whitfield, which appears in the December, 2016 issue of the Virginia Employment Law Letter.

This article appears in the July, 2017 issue of the Virginia Employment Law Letter.

Click here to download a copy of the article.

To subscribe to the Virginia Employment Law Letter, please contact

Is Your Noncompete Enforceable?

Noncompete agreements can be an effective way to prevent your employees from leaving your employ to work for a rival business using the skills, information and contacts they acquired while working for you. However, for a noncompete to be effective, it has to be enforceable as demonstrated by the decision in NVR, Inc. v. Nelson from the federal district court in Alexandria.

An article analyzing the court’s decision by DiMuroGinsberg attorney, Jayna Genti, appears in the June, 2017 issue of the Virginia Employment Law Letter. Jayna’s article entitled “Virginia Court Voids Employer’s Noncompete,” discusses the problems the court found with the noncompete’s indefinite geographic limitations and overbroad scope. As Jayna’s article explains, noncompetes must be drafted to ensure that the restrictions are clear and definite and do not unduly restrict the work opportunities of a former employee.

Click here for a copy of Jayna’s article.

For a copy of the opinion, NVR, Inc. v. Nelson, or to subscribe to the Virginia Employment Law Letter, please contact

How To Protect Against and Respond to Cyberattacks – Part 2

by Milton Whitfield and Jayna Genti DiMuroGinsberg PC

Last month, we reported on the costs of data breaches and steps you can take to help prevent what has become a very common occurrence at businesses and organizations across the country. If a data breach occurs at your organization, you need to be aware of Virginia laws that require you to undertake a number of steps to mitigate the potential harm to any individuals who may be affected.

States act to protect individuals against identity theft

Virginia, along with 46 other states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, has enacted legislation requiring private-sector, governmental, and educational entities to notify individuals when there are data security breaches involving personally identifiable information. These security breach laws typically include provisions addressing:

  • Who must comply with the law (e.g., businesses, data/information brokers, and governmental entities);
  • What is considered “personal information” (e.g., a person’s name combined with his Social Security number (SSN), driver’s license, or state ID; financial account numbers);
  • What constitutes a breach (e.g., unauthorized acquisition of data);
  • What’s required with regard to notice (e.g., who must be notified and the timing or method of notice); and
  • What is exempt (e.g., encrypted information).

Virginia’s security breach notification laws include Virginia Code § 18.2-186.6 (breach of personal information), § 32.1-127.1:05 (breach of medical information), and § 22.1-20.2 (student data security). Some of the key aspects of these Virginia laws that employers should understand are set out below.

Virginia’s security breach notification laws

Who is subject to Virginia’s laws? The data breach laws apply to any individual, legal, or commercial entity that owns or licenses computerized data that include personal information and any organization supported by public funds that owns or licenses computerized data that include medical information of a resident of the Commonwealth.

What constitutes “personal information”? Virginia’s data breach laws protect the personal and medical information of Virginia residents. “Personal information” means the first name or first initial and last name in combination with and linked to one or more of the following types of information belonging to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

  • SSN;
  • Driver’s license number or state ID card number issued in lieu of a driver’s license number; or
  • Financial account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a person’s financial accounts.

What is “medical information”? “Medical information” means the first name or first initial and last name in combination with and linked to one or more of the following types of information belonging to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

  • Any information about an individual’s medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or
  • An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals.

What is a “security breach”? A “breach of the security of the system” means the unauthorized access and acquisition of your unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained as part of your database of personal information and that causes, or you believe has caused or will cause, identity theft or other fraud affecting any resident of the Commonwealth.

Are there any exceptions? A breach of the security of your system doesn’t include the good-faith acquisition of personal information by your employees or agents if the personal information isn’t used for an unlawful purpose or subject to further unauthorized disclosure.
What is the “encryption safe harbor”? The unauthorized acquisition of your encrypted or redacted data, without access to the encryption key, doesn’t trigger the notice requirement under the statutes. The safe harbor isn’t available if personal information is encrypted but the encryption key is compromised.

What is “encryption”? “Encryption” means the transformation of data through the use of an algorithmic process into a form in which there’s a low probability of assigning it meaning without using a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.

When are your notification obligations triggered? If a security breach causes, or you reasonably believe it has caused or will cause, identity theft or other fraud affecting a Virginia resident, notification is required.

What are the notice procedures? You must provide written, telephonic, or electronic notice to victims of a security breach without unreasonable delay, unless the disclosure would impede a law enforcement investigation (in which case notification is delayed until it’s authorized by the law enforcement agency). Notice to affected residents must contain specific information described in the statutes. You may provide substitute notice by means prescribed in the statute if your notification costs exceed $50,000, more than 100,000 people are affected, or you have insufficient contact information or do not have consent to provide notice by the primary means required by the statute.

What is “substitute notice”? Substitute notice includes all of the following:

  • E-mail notice if you have e-mail addresses for the affected residents;
  • Conspicuous posting of the notice on your website; and
  • Notice to major statewide media.

When must you notify the AG and consumer reporting agencies? You also must provide notice to the Office of the Virginia Attorney General (AG) without unreasonable delay. If you are required to notify more than 1,000 persons of a security breach at one time, you are also required to notify consumer reporting agencies without unreasonable delay.

What are your third-party notice requirements? If you maintain computerized data that include personal information you don’t own or license, you must notify the owner or licensee of any security breach without unreasonable delay following your discovery of the breach.

Are there other exemptions? You are considered to be in compliance with Virginia law if:

  • You maintain and comply with your own notification procedures as part of an
    information security policy and those procedures are consistent with the timing requirements of the Virginia data breach statutes;
  • You comply with the notification requirements or procedures imposed by your primary or functional state or federal regulator; or
  • You are subject to, and in compliance with, federal requirements under Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or the Health Breach Notification Rule promulgated by the Federal Trade Commission (FTC).

How does Virginia enforce its notification laws? The AG may bring a lawsuit and impose a civil penalty not to exceed $150,000 for a security breach or a series of breaches of a similar nature that are discovered in a single investigation. Individuals may bring an action to recover direct economic damages resulting from a violation of the Virginia data breach statutes. Violations by state-chartered or licensed financial institutions are redressed by the primary state regulator. Violations by insurance companies are redressed by Virginia’s State Corporation Commission.

Are private lawsuits permitted? Although security breaches are generally enforced by the AG, nothing in Virginia’s data breach notification statute precludes an individual whose personal or medical information has been compromised from bringing a lawsuit and seeking recovery of economic damages.

Bottom line

The specific steps that you must follow when your security is breached can be quite complicated, as this article confirms. Accordingly, if you experience a data breach, it’s always wise to consult with legal counsel experienced in data breach laws. An experienced attorney can ensure that you are complying with all of your legal requirements. That’s significant because, as our article next month will explain, you may have obligations under federal law as well as Virginia law.

Milton Whitfield and Jayna Genti are attorneys with DiMuroGinsberg PC and contributors to Virginia Employment Law Letter. They may be reached at or

© 2017 Used with permission of Fortis Business Media, Brentwood, TN 37027.

All rights reserved.

To download a copy of the article, click here.

Read Part 1

How To Protect Against and Respond to Cyberattacks – Part 1

by Milton Whitfield and Jayna Genti

The number of cyberattacks in Virginia since January of last year is roughly one attack every four seconds. According to a 2016 Cost of Data Breach Study of the Ponemon Institute, which conducts independent research on data protection, malicious or criminal attacks continue to be the primary cause of data breaches nationwide. According to the study, fifty percent of incidents involved a malicious or criminal attack, 23 percent were caused by negligent employees, and 27 percent involved system glitches which included both IT and business process failures. (The study is available at

To help you deal with this very real concern for all Virginia business and governmental entities, we shall be exploring in this and the next three issues of the Virginia Employment Law Letter (1) the financial costs of data breaches and steps you can take to improve your data protection procedures, (2) Virginia’s legal requirements for notifying consumers and other affected individuals of a data breach, (3) the federal laws that may be impacted by a data breach and the legal avenues of redress you have against the perpetrators, and (4) the recent cybersecurity initiatives being undertaken by Virginia Governor Terry McAuliffe. First, let’s turn to the monetary impact a data breach may inflict upon your operations.

Data Breach Costs

The Ponemon Institute study not only documents the prevalence of data breaches and their causes, but also the monetary consequences of a breach. According to the study, the increase in data breach costs, in large measure, is due to an increase in three types of expenditures:

  • Notification costs. These include, for example, costs associated creating a contact database, determining all regulatory requirements, engaging outside experts, postal expenditures, secondary mail contacts, and inbound communication set-up.
  • Post data breach costs. These costs encompass help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services, and regulatory interventions.
  • Lost business costs. These costs arise from abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.

Mitigating the Damage

Fortunately, there are steps you can take to mitigate the harm from cyberattacks. The Ponemon Institute report found that you can reduce the cost of data breaches by instituting improvements in your data governance programs and investing in certain data loss prevention controls and activities. Accordingly, as part of your data governance program, you should consider (1) implementing an incident response plan, (2) appointing a Chief Information Security Officer (“CISO”), (3) creating employee training and awareness programs, and (4) developing a business continuity management strategy.

The cost of a data breach also can be reduced when you participate with other business in the sharing of information about cyber threats and attacks. Installing data loss prevention technologies, such as encryption and endpoint security solutions, also can help prevent data breaches in the first place.

If these measures are not successful and a data breach occurs, you have a number of legal obligations, particularly under Virginia law to notify affected individuals. Next month, we shall be exploring what those obligations entail.

Editor’s Note: Prior articles in the Law Letter discussing cybersecurity include “Feeling Insecure? Understand Notice Requirements Under State Security Breach Laws” (December, 2014) and “Hackers Gonna Hack: Know the Security Threats Facing Your Business” (July, 2015).

Milton Whitfield is a partner at DiMuroGinsberg, P.C. and an experienced business lawyer who specializes in representing companies in complex corporate and technology transactions, including outsourcing and licensing of business processes, information technology, and related sourcing services. He also advises companies on various energy, government contract, regulatory, and transaction matters. Milton may be contacted at Jayna Genti is an attorney with DiMuroGinsberg, P.C., and a former federal law clerk for U.S. Magistrate Judges Michael S. Nachmanoff and T. Rawles Jones, Jr., of the Eastern District of Virginia and U.S. District Judge David Briones of the Western District of Texas.

Published in the March, 2017 Virginia Employment Law Letter by BLR Publishing

To download a copy of the article, click here.

To subscribe to the Virginia Employment Law Letter, please contact

Read Part 2

Avoiding Employment Problems In Outsourcing

Outsourcing has become common across many industries as one method for companies to reduce costs and gain greater efficiencies. The effects on employees in an organization, however, often are overlooked or not timely addressed. There are a number of communications and employee protections that you should embrace to facilitate a successful transition and to avoid employee complaints and employment problems. Read more