Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach Notification Laws:
- Up to $150,000 per breach

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to all consumer reporting agencies that compile and maintain files on a nationwide basis is required if more than 1,000 persons are affected by a breach of security, without unreasonable delay.
  • There is specifically defined information that must be included in the consumer notification.
  • There are industry specific laws governing protection of personal data for health, insurance and education.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • W. Va. Code §§ 46A-2A-101 – 46A-2A-105  Breach of Security of Consumer Information 
  • W. Va. Code §§ 33-6F-1 – 33-6F-2   Insurance / Disclosure of Non-Public Personal Information
  • W. Va. Code § 18-2-5h  Student Data Accessibility, Transparency and Accountability Act
  • W. Va. Code §§ 16-29G-1 and 16-29G-8  West Virginia Health Information Network/ Privacy; protection of information
BAck to map