Virgin Islands Notices of Security Breach
14 V.I.C. § 2201, § 2208, § 2209 - § 2212
SUMMARY:
EFFECTIVE. October 17, 2005
WHO DOES THIS LAW APPLY TO. Applies to individuals, businesses, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.
WHAT IS A BREACH. unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
-
Social Security number.
-
Driver's license number.
-
Account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or territorial government records.
WHO TO NOTIFY OF THE BREACH. Notice must be sent to any resident of the Virgin Islands whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
EXCEPTION.
-
Does not apply to encrypted information.
-
An agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
WHEN TO NOTIFY OF THE BREACH. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification may be delayed if a law enforcement agency determines that providing notice will impede a criminal investigation.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written notice.
-
Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 7001 of Title 15 of the United States Code.
SUBSTITUTE NOTICE AVAILABLE. Substitute notice may be provided if the cost of providing notice will exceed $100,000, or that the affected class of subject persons to be notified exceeds 50,000, or the subject entity lacks sufficient contact information to provide notice.
Substitute notice shall consist of all of the following:
-
Email notice when the person or business has an email address for the subject persons.
-
Conspicuous posting of the notice on the subject entity’s website if it maintains one.
-
Notification to major territory-wide media.
NOTICE TO THIRD-PARTIES. If personal information is maintained on behalf of another entity, the entity must be notified immediately following discovery of a breach.
CONSEQUENCES FOR FAILING TO NOTIFY. Any business that violates, proposes to violate, or has violated this title may be enjoined. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
PRIVATE RIGHT OF ACTION. Residents injured by a violation of the statute may commence a civil action to recover damages.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
No. 6789, § 2, Sess. L. 2005, Oct. 17, 2005
For more information, see here: https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=269bcfb6-5191-4134-9e62-16aa770488fe&nodeid=AAQACQAABAAB&nodepath=%2FROOT%2FAAQ%2FAAQACQ%2FAAQACQAAB%2FAAQACQAABAAB&level=4&haschildren=&populated=false&title=%C2%A7+2200.+Short+title&config=014DJAA3OWU1MmYyMC1kNzRhLTQ4NDAtYTMxZS01YzJhMzBkZDA0NDMKAFBvZENhdGFsb2dSOvVciRp0EcGxvMymeAXd&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A56WP-9MJ1-6G1M-90FD-00008-00&ecomp=vg1_kkk&prid=f08480c7-76d9-4f49-8a65-4eb137e1f817
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.