West Virginia Consumer Privacy Law

Primary law

The breach-notification duty runs to any individual or entity that owns or licenses computerized data that includes personal information of West Virginia residents.

An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.

See W. Va. Code § 46A-2A-102(a).

Primary law

The breach-notification article applies to any individual or entity, with entity defined to include corporations, partnerships, limited liability companies, associations, governments, and any other legal entity, for profit or not.

"Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit.

See W. Va. Code § 46A-2A-101(2).

Primary law

The WVCCPA declares unfair methods of competition and unfair or deceptive acts or practices in any trade or commerce unlawful — the general consumer-protection rule that reaches privacy misrepresentations.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.

See W. Va. Code § 46A-6-104.

Primary law

The WVCCPA's consumer-protection article is designed to complement the body of federal law governing unfair, deceptive, and fraudulent acts or practices.

The Legislature hereby declares that the purpose of this article is to complement the body of federal law governing unfair competition and unfair, deceptive and fraudulent acts or practices in order to protect the public and foster fair and honest competition.

See W. Va. Code § 46A-6-101(1).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The WVCCPA defines unfair or deceptive acts to include any deception, false promise, misrepresentation, or concealment or omission of material fact in connection with the sale or advertisement of goods or services, whether or not anyone was in fact misled.

The act, use or employment by any person of any deception, fraud, false pretense, false promise or misrepresentation, or the concealment, suppression or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any goods or services, whether or not any person has in fact been misled, deceived or damaged thereby;

See W. Va. Code § 46A-6-102(7)(M).

Primary law

West Virginia courts construing the WVCCPA's deceptive-practices article are directed to be guided by FTC policies and federal interpretations of FTC Act § 5.

It is the intent of the Legislature that, in construing this article, the courts be guided by the policies of the Federal Trade Commission and interpretations given by the Federal Trade Commission and the federal courts to Section 5(a)(1) of the Federal Trade Commission Act (15 U. S. C. § 45(a)(1)), as from time to time amended, and to the various other federal statutes dealing with the same or similar matters.

See W. Va. Code § 46A-6-101(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

GLBA bars a financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a privacy notice complying with the statute's notice rules.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

COPPA regulations require an operator of a website or online service directed to children to post notice of what information it collects from children, how it uses it, and its disclosure practices, and to obtain verifiable parental consent.

require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;

See 15 U.S.C. § 6502(b)(1)(A).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a business-associate contract that establishes permitted uses and disclosures of protected health information and binds the business associate to safeguard the information, report unauthorized uses and breaches, and flow the same restrictions down to subcontractors.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e)(2).

Primary law

An entity that maintains computerized personal information it does not own or license must notify the owner or licensee of any breach of the security of the system as soon as practicable following discovery.

An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person.

See W. Va. Code § 46A-2A-102(c).

Primary law

An entity that owns or licenses computerized personal information must notify affected West Virginia residents of a breach that it reasonably believes has caused or will cause identity theft or other fraud, without unreasonable delay.

An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection (e) of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay.

See W. Va. Code § 46A-2A-102(a).

Primary law

A breach of the security of a system is the unauthorized access and acquisition of unencrypted, unredacted computerized data that compromises personal information and causes the entity reasonably to believe identity theft or other fraud has resulted or will result.

"Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state.

See W. Va. Code § 46A-2A-101(1).

Primary law

Personal information is a resident's first name or first initial and last name linked to an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or card number with its required access code.

"Personal information" means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted: (A) Social security number; (B) Driver's license number or state identification card number issued in lieu of a driver's license; or (C) Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts.

See W. Va. Code § 46A-2A-101(6).

Primary law

Notice is required even for encrypted data if the information is acquired in unencrypted form or the breach involves a person with access to the encryption key, where identity theft or other fraud is reasonably believed to result.

An individual or entity must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.

See W. Va. Code § 46A-2A-102(b).

Primary law

If more than one thousand persons must be notified of a breach, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay of the timing, distribution, and content of the notices.

If an entity is required to notify more than one thousand persons of a breach of security pursuant to this article, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined by 15 U.S.C. §1681a (p), of the timing, distribution and content of the notices.

See W. Va. Code § 46A-2A-102(f).

Primary law

An entity that follows its own breach-notification procedures under an information privacy or security policy consistent with the article's timing requirements is deemed compliant when it notifies residents under those procedures.

An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system.

See W. Va. Code § 46A-2A-103(a).

Primary law

The breach notice must describe the categories of information involved, give a telephone number or website contact point, and include the toll-free numbers and addresses of the major credit reporting agencies with fraud-alert and security-freeze information.

The notice shall include: (1) To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses or state identification numbers and financial data; (2) A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn: (A) What types of information the entity maintained about that individual or about individuals in general; and (B) Whether or not the entity maintained information about that individual. (3) The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.

See W. Va. Code § 46A-2A-102(d).

Primary law

Breach notice may be delayed if a law-enforcement agency determines and advises that notice would impede a criminal or civil investigation or homeland or national security, and must then be made without unreasonable delay once that concern lapses.

Notice required by this section may be delayed if a law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law-enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.

See W. Va. Code § 46A-2A-102(e).

Primary law

A financial institution that follows the Federal Interagency Guidance on response programs, or an entity that complies with its primary or functional regulator's notification rules or guidelines, is deemed in compliance with the breach-notification article.

A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article. (c) An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity's primary or functional regulator shall be in compliance with this article.

See W. Va. Code § 46A-2A-103(b)-(c).

Primary law

The Attorney General has exclusive authority to bring an action for a violation of the breach-notification article, so consumers have no private right of action under it.

Except as provided by subsection (c) of this section, the Attorney General shall have exclusive authority to bring action.

See W. Va. Code § 46A-2A-104(b).

Primary law

A person who purchases or leases goods or services and suffers an ascertainable loss from a prohibited practice may sue in circuit court to recover actual damages or $200, whichever is greater.

Subject to subsection (b) of this section, any person who purchases or leases goods or services and thereby suffers an ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act, or practice prohibited or declared to be unlawful by the provisions of this article may bring an action in the circuit court of the county in which the seller or lessor resides or has his or her principal place of business or is doing business, or as provided for in §46A-1-1 and §46A-1-2 of this code, to recover actual damages or $200, whichever is greater.

See W. Va. Code § 46A-6-106(a).

Primary law

A WVCCPA damages award requires proof that the person seeking damages suffered an actual out-of-pocket loss proximately caused by the violation.

An award of damages in an action pursuant to subsection (a) of this section may not be made without proof that the person seeking damages suffered an actual out-of-pocket loss that was proximately caused by a violation of this article.

See W. Va. Code § 46A-6-106(b).

Primary law

No WVCCPA action may be brought until 45 days after the consumer has informed the business in writing, by certified mail, of the alleged violation and its factual basis.

An action may not be brought pursuant to this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code until 45 days after the consumer has informed the creditor, debt collector, seller, or lessor in writing and by certified mail, return receipt requested, to the creditor’s, debt collector’s, seller’s, or lessor’s registered agent identified by the creditor, debt collector, seller, or lessor at the Office of the West Virginia Secretary of State or, if not registered with the West Virginia Secretary of State, then to the creditor’s, debt collector’s, seller’s, or lessor’s principal place of business, of the alleged violation and the factual basis for the violation.

See W. Va. Code § 46A-5-108(a).

Primary law

The statute of limitations is tolled during the 45-day cure window or while an accepted cure offer is being performed, whichever is longer.

Any applicable statute of limitations is tolled for the 45-day period set forth in subsection (a) of this section or for the period the effectuation of the cure offer is being performed, whichever is longer.

See W. Va. Code § 46A-5-108(c).

Primary law

It is a complete defense to a WVCCPA action that a cure offer was made, accepted, and the agreed-upon cure performed, and the business is then entitled to its reasonable attorney fees and costs of defending the action.

Where an action is brought under this article or §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code, it is a complete defense that a cure offer was made, accepted, and the agreed upon cure was performed. If the court determines that the cure offer was accepted and the agreed upon cure performed, the creditor, debt collector, seller, or lessor is entitled to reasonable attorney’s fees and costs attendant to defending the action.

See W. Va. Code § 46A-5-108(e).

Primary law

A business that timely delivers a cure offer is not liable for the consumer's attorney fees and court costs incurred after delivery unless the relief ultimately awarded, excluding fees and costs, exceeds the value of the cure offer.

The creditor, debt collector, seller, or lessor is not liable for the consumer’s attorney’s fees and court costs incurred following delivery of the cure offer unless the actual damages, civil penalties, and any other monetary or equitable relief provided for under this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code are found to have been sustained and awarded, without consideration of attorney’s fees and court costs, exceed the value of the cure offer.

See W. Va. Code § 46A-5-108(f).

Primary law

Failure to comply with the breach-notification article's notice provisions constitutes an unfair or deceptive act under the WVCCPA, enforceable by the Attorney General.

Except as provided by subsection (c) of this section, failure to comply with the notice provisions of this article constitutes an unfair or deceptive act of practice in violation of section one hundred four, article six, chapter forty-six-a of this code, which may be enforced by the Attorney General pursuant to the enforcement provisions of this chapter.

See W. Va. Code § 46A-2A-104(a).

Primary law

Civil penalties for breach-notice violations require a course of repeated and willful violations and are capped at $150,000 per breach or per series of similar breaches discovered in a single investigation.

No civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article. No civil penalty shall exceed $150,000 per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation.

See W. Va. Code § 46A-2A-104(b).

Primary law

A breach-notification violation by a licensed financial institution is enforceable exclusively by the institution's primary functional regulator.

A violation of this article by a licensed financial institution shall be enforceable exclusively by the financial institution's primary functional regulator.

See W. Va. Code § 46A-2A-104(c).