West Virginia Breach of Security of Consumer Information
WV Code § 46A-2A-101, et seq.
SUMMARY:
EFFECTIVE. June 6, 2008
WHO DOES THIS LAW APPLY TO. (1) Any person, business or government entity that conducts business in West Virginia and owns or licenses computerized data that includes Personal Information; and (2) any person or entity which maintains computerized data that includes Personal Information on State residents.
WHAT IS A BREACH. The unauthorized acquisition of and access to unencrypted and unredacted computerized data that compromises the security or confidentiality of Personal Information maintained by a person, business or government entity which causes or is reasonably likely to cause identity theft or other fraud to any resident. A good faith acquisition of Personal Information by an employee or agent for internal purposes only is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected. The notice shall include:
-
A description of the data elements involved in the breach.
-
Telephone number or website address to contact to obtain additional information.
-
A toll-free telephone numbers and addresses for the major credit reporting agencies and directions for placing a fraud alert or security freeze.
If more than 1,000 individuals are involved in a breach, the person or business shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
This Section shall not apply to a person or entity that is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq.
-
A person, business or government entity which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected residents are notified by the person, business, or government entity in accordance with its policies.
-
A financial institution that complies with the notification guidelines provided by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, is considered in compliance with this Section.
-
A person, business or government entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by its primary or functional regulator are considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or government entity discovers or is notified of a security breach. The disclosure shall be made without unreasonable delay consistent with measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines and advises it will impede a criminal investigation or national security. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (to the postal address of record).
-
Telephonic.
-
Electronic (if notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government entity can demonstrate that the cost of providing notice will exceed $50,000, the affected class of persons to be notified exceeds 100,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of any two of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or government entity maintains unencrypted data that includes Personal Information that it does not own, they shall notify the owner or licensee of the security breach as soon as possible following discovery. The person, business or government entity that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Except for licensed financial institutions, any notice violations of this Section will be considered an unfair or deceptive act of practice enforceable by the Attorney General. The Attorney General shall have the exclusive authority to bring action.
-
A civil penalty will not be assessed unless the court finds that repeated and willful violations have occurred.
-
A civil penalty up to $150,000 per breach, or series of breaches of a similar nature that are part of the same investigation.
-
Violation by a licensed financial institution shall be exclusively enforced by the primary functional regulator.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
S.B. 340 – Signed into law on 3/27/2008, Effective 6/6/2008.
For more information, see here: https://code.wvlegislature.gov/46A-2A/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.