Click here to review text of state statute
Information Covered / Important Definitions
Personal information of West Virginia residents.
“Security Breach” means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the security breach has caused or will cause identity theft or other fraud to any resident of West Virginia.
“Encrypted” means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable.
“Redact” means alteration or truncation of data such that no more than the last four digits of a social security number, driver’s license number, state identification card number, or account number is accessible as part of the personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
An individual or legal or commercial entity that owns or licenses computerized data that includes personal information.
Third party recipients:
Any covered entity that maintains computerized data that includes personal information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach as soon as practicable following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or electronic notice must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal or civil investigation or jeopardize homeland or national security (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.
- Notification is only required if the covered entity reasonably believes the security breach has caused or will cause identity theft or other fraud to any West Virginia resident.
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted. Safe harbor not available if personal information is encrypted but the encryption key is compromised.
A covered entity is deemed in compliance with the West Virginia statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the West Virginia statute.
A covered entity is deemed in compliance with the West Virginia statute if it complies with notification requirements or procedures imposed by its primary or functional federal regulator that are at least as protective as West Virginia’s statute.
Financial institutions subject to and in compliance with federal interagency guidelines are exempt.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
Violations constitute an unfair or deceptive act or practice.
No civil penalty may be assessed unless the court finds that the defendant has engaged in a course of repeated and willful violations.
No civil penalty will exceed $150,000 per breach or series of breaches of a similar nature that are discovered in a single investigation.
Violations by financial institutions will be redressed by their primary regulator.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute