New Data Breach Notification Law in the U.S. Virgin Islands
V.I. Code tit. 14, § 2208 (2019), also known as the U.S. Virgin Islands Data Breach Notification Law, is a data breach notification law that was passed in 2019. Although the U.S. Virgin Islands is not a state within the U.S., the nation is a U.S. territory and as such, the country has passed data breach notification legislation in accordance with similar legislative measures that the other states and territories within the U.S. have all implemented as of 2022. To this point, V.I. Code tit. 14, § 2208 (2019) establishes the requirements that business entities and organizations within the U.S. Virgin Islands are required to adhere to in the event that such parties experience a data breach or other related security incident that leads to the involuntary disclosure of personal information.
How is a data breach defined?
Under V.I. Code tit. 14, § 2208 (2019), a data breach is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.” On the contrary, the law defines personal information as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted- social security numbers, driver’s license numbers, and account numbers, credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”
What are the requirements of business entities and organizations?
Under V.I. Code tit. 14, § 2208 (2019), businesses and organizations within the U.S. Virgin Islands are required to provide citizens of the territory with data breach notification notices in the event that their personal information is compromised or disclosed as a result of a data breach. These data breach notifications “must be made in the most expedient time possible and without unreasonable delay”, and contain information detailing the categories of personal information that has been compromised, and the measures that a particular business or organization has taken to determine the scope and severity of the breach, as well as restore the reasonable integrity of the data system that was improperly accessed as a result of the breach, among other pertinent details. Moreover, when providing consumers within the U.S. Virgin Islands with data breach notifications, said notifications may be provided using one of the following methods:
- Written notice.
- Electronic notice, permitting “the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 7001 of Title 15 of the United States Code.”
- Substitute notices, in instances where a business or organization demonstrates that the cost of providing data breach notices would exceed the cost of $100,000, the affected class of individuals who were subjected to the data breach would exceed 50,000, or the business or organization who experienced the data breach does not have sufficient contact information.
As it pertains to substitute notices concerning data breach incidents, V.I. Code tit. 14, § 2208 (2019) mandates that such notices be made via email in instances where a business or agency has an email address on file regarding individuals who have been involved in the breach. Furthermore, these notices must also be conspicuously posted on the website of a given business or organization, permitting the business or organization in question maintains a website. What’s more, the law also mandates that notification be made to major territory-wide media within the U.S. Virgin Islands in instances where a data breach occurs. In terms of the penalties that can result from failing to comply with the law, “any customer injured by a violation of the statute may bring a civil action to recover damages.”
As data breaches have become increasingly more common due to the level of personal information that the average citizen around the world discloses via electronic means, legislation such as V.I. Code tit. 14, § 2208 (2019) has become more relevant than ever before. As such, the U.S. has effectively mandated that all states and territories within the nation pass some form of data breach notification legislation for the purpose of addressing such incidents in the most effective and efficient manner possible. In this way, citizens of the U.S. Virgin Islands can have the peace of mind that their personal information will be protected in the case that is subject to a data breach, irrespective of the fact that they do not reside within a U.S. state.