Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?


It's statutes may include:

  • Data owner responsibility for reporting and notifications;
  • Notification may be required to the consumer reporting agencies;
  • Consumer Notification may be required and must contain specific language and follow specific methods of delivery;
  • Laws also cover data protection;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

Who Me?


West Virginia breach and notification laws may apply if you are an individual or entity that:

  • Owns or licenses computerized data that includes PII;
  • Maintains computerized data that includes PII which the individual or entity does not own or license.

There are usually exemptions, but minimum standards must be met.

What is PII?


PII relevant to a breach in West Virginia includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license or state identification card number;
  • Financial account or credit/debit card numbers; with security or access codes, passwords, etc.



A few relevant statutes include, but are not limited to:

Chapter 46a. West Virginia Consumer Credit And Protection Act.

Article 2a. Breach Of Security Of Consumer Information.

        §46A-2A-101. Definitions.


A few related statutes include, but are not limited to:

Many are for state agencies:

§51-4-3. Preservation and destruction of papers; microphotography and electronic storage.

§5A-8-20. Alternate storage of state records.

§5-2-3. Retention and preservation of records of the secretary of state; destruction of records.



The state attorney general has exclusive authority to bring action. Repeated and willful violations may result in a civil penalty not to exceed $150,000 per breach. Noncompliance constitutes an unfair or deceptive act and may be enforced by the state attorney general.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted, redacted, or otherwise altered;
  • If the data included any kind of key, access code, or cipher;
  • If it was acquired by an unauthorized person;
  • If it may be used for identity theft or other fraud.


In West Virginia, the notifications must be made without unreasonable delay, unless law enforcement advises the person it will impede an investigation.


Requires detailed information and potential provision of services

Notification may be required to the consumer reporting agencies.

Notices are required to contain certain language.

Disclosure may be made by written notice, electronically, or via telephone with stipulations. A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $50,000 or the persons to be notified exceeds 100,000, they do not have sufficient contact information.

Contact the Privacy Experts at CSR