Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect personal information
Written Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach and Notification Laws
Up to $150,000 per breach
Third Party Management
None to minimal
Breach reporting to all consumer reporting agencies that compile and maintain files on a nationwide basis is required if more than 1,000 persons are affected by a breach of security, without unreasonable delay.
There is specifically defined information that must be included in the consumer notification.
There are industry specific laws governing protection of personal data for health, insurance and education.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
W. Va. Code §§ 46A-2A-101 – 46A-2A-105 Breach of Security of Consumer Information (2008)
W. Va. Code §§ 33-6F-1 – 33-6F-2 Insurance / Disclosure of Non-Public Personal Information
W. Va. Code § 18-2-5h Student Data Accessibility, Transparency and Accountability Act
W. Va. Code §§ 16-29G-1 and 16-29G-8 West Virginia Health Information Network/ Privacy; protection of information