WHEREAS, the number of reported breaches of secured information across the United States has risen substantially in recent years; and

WHEREAS, hundreds of thousands of cyber attacks occur annually across the United States, costing the national economy millions of dollars; and

WHEREAS, government entities, including local governments, have been the subject of thousands of cyber incidents, including data thefts or other security breaches; and

WHEREAS, with the recent surge in cyber crime and its potential to cause major disruption in Virginia, it is essential that localities in the Commonwealth adequately and promptly report security breaches in which personal information was or is reasonably believed to have been accessed or acquired by an unauthorized person; and

WHEREAS, in order to remediate such unauthorized breaches to the greatest extent possible and discourage identity theft, it is critical that the method used to report breaches of personal information is efficient and timely; and

WHEREAS, a work group of the Commonwealth of Virginia Cyber Security Commission has determined, on the basis of feedback received during outreach events, that localities need a reliable source of clear, concise, and understandable cyber threat information, including best practices and processes for requesting cyber security remediation assistance as well as a method to report cyber incidents; now, therefore, be it

RESOLVED by the House of Delegates, the Senate concurring, That the Joint Commission on Technology and Science be directed to study reporting of information breaches by localities.

In conducting its study, the Joint Commission on Technology and Science shall (i) evaluate and compare the various methods used by localities to report unauthorized breaches of personal information to the Office of the Attorney General and affected residents of the Commonwealth; (ii) identify one or more methods of reporting, such as through a central portal system, that promote the efficient and timely reporting of information breaches; and (iii) develop a list of best practices, processes, and resources that localities can use for cyber security remediation assistance and to report unauthorized information breaches.

All agencies of the Commonwealth shall provide assistance to the Joint Commission on Technology and Science for this study, upon request.

The Joint Commission on Technology and Science shall complete its meetings by November 30, 2018, and the chairman shall submit to the Division of Legislative Automated Systems an executive summary of its findings and recommendations no later than the first day of the 2019 Regular Session of the General Assembly. The executive summary shall state whether the Joint Commission on Technology and Science intends to submit to the General Assembly and the Governor a report of its findings and recommendations for publication as a House or Senate document. The executive summary and report shall be submitted as provided in the procedures of the Division of Legislative Automated Systems for the processing of legislative documents and reports and shall be posted on the General Assembly's website.