West Virginia Code § 46A-2A-101 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of a system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this State. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure."
When is notice required?
Notice is required for any affected resident and except for law enforcement delays "or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay." Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on the circumstances. If over 1,000 residents are affected then credit reporting agencies must be notified as well. Notice must include a description of the information compromised, a telephone number or website to contact the business and learn what types of information they have about specific residents and in general, and a toll-free number for major credit reporting agencies.
What are the penalties for non-compliance?
Violations have their own section of the law, § 46A-2A-104, which reads as follows:
(a) Except as provided by subsection (c) of this section, failure to comply with the notice provisions of this article constitutes an unfair or deceptive act of practice in violation of section one hundred four [§ 46A-6-104], article six, chapter forty-six-a of this code, which may be enforced by the Attorney General pursuant to the enforcement provisions of this chapter.
(b) Except as provided by subsection (c) of this section, the Attorney General shall have exclusive authority to bring action. No civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article. No civil penalty shall exceed one hundred fifty thousand dollars per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.
(c) A violation of this article by a licensed financial institution shall be enforceable exclusively by the financial institution's primary functional regulator.