Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) was recently signed, making it the second state that has signed a consumer privacy regulation into law. This legislation follows what was implemented in California by way of the California Consumer Privacy Act (CCPA). The VCDPA, which draws on the CCPA and the European General Data Protection Regulation (GDPR), will go into effect on January 1, 2023.

The VCDPA applies to all business entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either:

  • control or process personal data of at least 100,000 Virginia residents, or
  • derive over 50% of gross revenue from the sale of personal and control or process personal data of at least 25,000 Virginia residents.

One difference with the VCDPA is there is no mention of a revenue threshold for imposing obligations to business entities. Even large organizations that do not meet the requirements won’t be subject to the VCDPA regulations. Notably, there are many exclusions to those entities that are subject to the VCDPA regulation. These include:

  1. Virginia state bodies and agencies
  2. Financial institutions or data subject to the Gramm-Leach-Bliley Act (“GLBA”)
  3. Covered entities or business associates under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act
  4. Non-profit organizations
  5. Institutions of higher education

Technical safeguards

Like most of the compliance regulations already in place, the VCDPA limits the collection and use of personal data to only the required data reasonably necessary for the use disclosed to the consumer. The VCDPA also obliges businesses to implement “reasonable administrative, technical, and physical data security practices that help to protect the confidentiality, integrity, and accessibility of consumer data.” This statement emphasizes the need for businesses to have the technical processes and solutions to implement robust cybersecurity in the environment.

In thinking about compliance objectives such as the VCDPA, are passwords a threat to cybersecurity? Absolutely. Compromised credentials are among the most common attack vectors used by cybercriminals to compromise business-critical and sensitive data. Notice what was documented in the IBM Cost of a Data Breach 2020 report:

“Stolen or compromised credentials were the most expensive cause of malicious data breaches. One in five companies (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. Overall, malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%), at an average total cost of $4.27 million.”

Specops Password Auditor

Specops Password Auditor is a free tool that allows businesses to have quick visibility into accounts in the Active Directory environment with compromised passwords. It also allows IT admins to audit the configured Active Directory password policies to ensure they meet various compliance standards.

Specops Password Auditor provides visibility into dangerous account passwords in Active Directory

Securing passwords used in the Microsoft Active Directory environment is vitally important to meeting compliance objectives. Specops Software provides powerful tools that allow organizations to bolster password security in the environment.

(Last updated on April 25, 2022)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog