Security Breach Notice Law in the State of West Virginia
W.V. Code § 46A-2A-101 is a data breach notification law that was passed in the U.S. state of West Virginia in 2008. W.V. Code § 46A-2A-101 establishes the protocol that individuals, business entities, and organizations within the state are required to follow when a data breach occurs. Moreover, the law also sets forth the sanctions and penalties that can be imposed against individuals and entities that are found to be in violation of the law. With this being said, W.V. Code § 46A-2A-101 represents the primary legal means by which residents of the state of West Virginia can seek relief from data breach incidents, in lieu of a comprehensive state privacy law such as the Virginia Consumer Data Protection Act.
How is a data breach defined under W.V. Code § 46A-2A-101?
Under W.V. Code § 46A-2A-101, a data breach is defined as the “unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals and that causes the Entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of WV.” On the contrary, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for a purpose other than a lawful purpose of the Entity or subject to further unauthorized disclosure.”
What are the requirements of business entities and organizations under W.V. Code § 46A-2A-101?
W.V. Code § 46A-2A-101 mandates that any individual, business entity, or organization within the state of West Virginia provide all affected individuals and parties with notification in the event that a data breach incident occurs. Furthermore, if a data breach incident affects more than 1,000 residents within the state of West Virginia, the individual or entity that experienced the breach is also required to provide notification to the three major credit reporting agencies within the U.S. (Equifax, Experian, and TransUnion). To this point, data breach notifications provided to consumers in accordance with W.V. Code § 46A-2A-101 must contain the following information:
- A description of the categories of personal information that were compromised following the breach, including social security numbers, driver’s license numbers, and financial data, to the extent that providing such information is possible.
- “A telephone number or Web site address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn: what types of information the entity maintained about that individual or about individuals in general; and whether or not the entity maintained information about that individual.”
- The toll-free contact information of all three credit bureaus within the U.S., as well as information about the steps that affected consumers can take to place a fraud alert or security freeze on their credit report.
What categories of personal information are covered under W.V. Code § 46A-2A-101?
Under W.V. Code § 46A-2A-101, the following categories of personal information are protected in the event of a data breach, in combination with a West Virginia resident’s first name or first initial and last name, permitting said data elements have not been redacted, encrypted, or otherwise altered:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Account numbers, credit card numbers, and debit card numbers, in combination with any required security codes, access codes, and passwords that could be used to grant access to an individual’s financial account.
Alternatively, the categories of personal information that are covered under the law do not include “information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.” Additionally, business entities and organizations within West Virginia are also permitted to provide substitute data breach notifications to affected consumers, albeit under certain circumstances. Such circumstances include instances where the cost of providing standard data breach notifications to affected individuals and parties would exceed $50,000, instances where the class of affected residents is greater than 100,000, and instances where a business or organization does not have sufficient contact information to provide consumers with standard notification.
What are the penalties for violating W.V. Code § 46A-2A-101?
In terms of the enforcement of the law, the provisions set forth in W.V. Code § 46A-2A-101 are enforced by the West Virginia Attorney General. Subsequently, the West Virginia Attorney General has the authority to impose a number of sanctions and penalties against individuals, business entities, and organizations that fail to adhere to the provisions established in the law. Such punishments include civil penalties in instances where a business entity or organization has been found to have repeatedly violated the law. These punishments carry a max penalty of $150,000 for each breach. What’s more, “failure to comply with notification requirements constitutes as an unfair or deceptive act or practice and is enforceable by the Attorney General.”
Through the enactment of W.V. Code § 46A-2A-101 in 2008, residents of the state of West Virginia were provided with legal recourse should their personal information be compromised following a security breach. As very few states within the U.S. have passed comprehensive privacy legislation, laws such as W.V. Code § 46A-2A-101 represent the primary means by which the average American citizen can protect themselves from the adverse effects of data or security breaches. As such, W.V. Code § 46A-2A-101 provides citizens of West Virginia with such legal protections.