As previously reported, the significant rise in Form W-2 phishing e-mails has prompted increased awareness surrounding these fraudulent tax schemes. Most recently, Virginia has responded to these types of attacks by amending its data breach notification law, Va. Code Ann. § 18.2-186.6(M). The amended law will require all employers and payroll service providers to notify the Virginia Attorney General if they are subject to a breach of payroll data, including a Form W2 e-mail phishing scam.

The new law, effective July 1, 2017 and first of its kind, requires that employers notify the Virginia Attorney General if they discover, “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer” and the “the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud.”

The notification must include the employer or payroll service provider’s name and federal employer identification number. Once alerted, the Office of Attorney General will report the incident to the Department of Taxation. Notification to the Attorney General is required even if the breach does not otherwise trigger the statute’s requirement that the company notify state residents of the breach. A copy of the new law can be found here. In another development, the IRS has a webpage businesses and payroll service providers now can access to learn how to quickly report data losses resulting from a Form W-2 fraudulent tax scheme. To view the IRS webpage, click here.