Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonably delay
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to individuals or commercial entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if covered entity reasonably believes that breach has not and will not cause identity theft or other fraud to any resident.
Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.
Form of Covered Info
The first name or first initial and last name linked to any one or more of the following data elements:
Social Security number.
Driver's license number or state identification card number issued in lieu of a driver's license.
Financial account number, or credit card or debit card number, in combination with any required security code, access code or password that would permit access to a resident's financial accounts.
Consumer Notice Timing
Must be made without unreasonable delay, consistent with any measures to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice to postal address in covered entity's records, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Notification shall include, to the extent possible:
A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses or state identification numbers and financial data.
A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn:
What types of information the entity maintained about that individual or about individuals in general.
Whether or not the entity maintained information about that individual.
The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.
Notification may be delayed if law enforcement determines and advises that notice will impede a criminal or civil investigation or homeland or national security.
The West Virginia statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified under this statute, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity's primary or functional regulator shall be in compliance with this article.
If you maintain covered info on behalf of another entity, you must notify it as soon as practicable following discovery of a breach.
Private Right of Action
The West Virginia statute does not provide for a private right of action.
Violations may result in civil penalties.