West Virginia

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonably delay
Government Notification Required: No

W. Va. Code §§ 46A-2A-101 to -105

Scope of this Summary:

Notification requirements applicable to individuals or commercial entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if covered entity reasonably believes that breach has not and will not cause identity theft or other fraud to any resident.

Breach Defined

Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.

Form of Covered Info

Electronic Only

Covered Information

The first name or first initial and last name linked to any one or more of the following data elements:

  • Social Security number.
  • Driver's license number or state identification card number issued in lieu of a driver's license.
  • Financial account number, or credit card or debit card number, in combination with any required security code, access code or password that would permit access to a resident's financial accounts.

Consumer Notice Timing

Must be made without unreasonable delay, consistent with any measures to determine the scope of the breach and restore the reasonable integrity of the system.

Consumer Notice Method

By written notice to postal address in covered entity's records, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

Notification shall include, to the extent possible:

  • A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses or state identification numbers and financial data.
  • A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn:
    • What types of information the entity maintained about that individual or about individuals in general.
    • Whether or not the entity maintained information about that individual.
    • The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.

Delayed Notice

Notification may be delayed if law enforcement determines and advises that notice will impede a criminal or civil investigation or homeland or national security.

Government Notice

The West Virginia statute does not require notice to any government or regulatory agencies.

Consumer Reporting Agency Notice

If more than 1,000 residents are notified under this statute, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.

Exceptions for Other Laws

An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity's primary or functional regulator shall be in compliance with this article.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it as soon as practicable following discovery of a breach.

Private Right of Action

The West Virginia statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023