# West Virginia Consumer Privacy Law[^about]

West Virginia has no comprehensive consumer-privacy statute. The operative state laws are the breach-notification article (W. Va. Code §§ 46A-2A-101 et seq.) and the WVCCPA's deceptive-practices article, layered with FTC Act § 5, GLBA, HIPAA, and COPPA.

## Which privacy laws apply to your business in West Virginia? {#which-privacy-laws-apply}

**Short answer.** There is no comprehensive West Virginia consumer-privacy law. The operative state framework is sectoral. The breach-notification article of the West Virginia Consumer Credit and Protection Act (WVCCPA) reaches any individual or *entity* that owns or licenses computerized personal information of state residents [^q1-stat-102a-duty] — and *entity* is defined to include corporations, partnerships, limited liability companies, associations, governments, and any other legal entity, whether for profit or not [^stat-101-entity]. Alongside it, the WVCCPA's general consumer-protection article declares unfair or deceptive acts or practices in any trade or commerce unlawful [^stat-6104-udap], which is the hook for privacy-related misrepresentation claims. Neither statute carries a revenue or consumer-volume threshold.

West Virginia has not enacted an omnibus privacy statute, so its residents do not have general state-law rights to access, delete, correct, or port their personal data, or to opt out of its sale or use in targeted advertising, and businesses face no state notice-at-collection, consent, data-protection-assessment, or universal opt-out-signal duties. Lawmakers have considered comprehensive consumer-data-protection legislation — a 2024 bill, House Bill 5123, would have created controller duties and consumer rights along the lines of other states' omnibus acts — but it died without passage, so no comprehensive regime is on the books or scheduled to take effect. What fills the gap is a layered framework: the breach-notification article sets the one statewide data-incident duty, the WVCCPA's deceptive-practices article polices what businesses say about their data handling [^stat-6101-purpose], and the rest of a West Virginia privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. Businesses in regulated industries should also confirm whether sector-specific obligations apply to them beyond the laws discussed here. This note is written to stay durable: if West Virginia later enacts a comprehensive law, a program built to this overlay upgrades rather than restarts.

## What must your West Virginia privacy policy contain? {#privacy-policy-contents}

**Short answer.** No West Virginia statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the governing rule is that whatever you publish has to be true: under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^fed-ftc5-deceptive], and the WVCCPA reaches any deception, false promise, misrepresentation, or material omission made in connection with the sale or advertisement of goods or services — whether or not anyone was actually misled [^stat-6102-deception]. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice].

In practice the drafting question in West Virginia is less *what must be included* and more *does the policy match actual practice*. The WVCCPA makes that federal alignment explicit: West Virginia courts construing the deceptive-practices article are directed to be guided by the policies of the Federal Trade Commission and federal interpretations of FTC Act § 5 [^stat-6101-ftc-guided], so FTC deception doctrine — a privacy policy that misstates collection, use, sharing, retention, or security practices is deceptive — is effectively the West Virginia standard too. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution [^fed-glba-notice], the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13 [^fed-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct.

## What must your contracts with vendors say? {#vendor-contracts}

**Short answer.** West Virginia has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. Where a federal sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information is shared [^fed-hipaa-baa]. The one state-law touchpoint is breach response: a vendor that maintains computerized personal information it does not own or license must notify the owner or licensee of any breach as soon as practicable after discovery [^stat-102c-maintainer].

Outside the GLBA and HIPAA verticals, the prudent move is to carry the same protections forward as a matter of contract best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or deletion of data at the end of the engagement — even though no West Virginia statute compels them. The breach-notification article's vendor duty is worth implementing expressly: because the statutory clock for notifying residents runs against the data owner, the contract should require the vendor to report any security incident to you quickly and in enough detail to let you decide whether resident notice is triggered. That duty is a breach-response rule, not a general data-processing-agreement mandate, so there is no West Virginia source to cite for omnibus vendor terms — which is itself the operative point.

## When must you notify people of a data breach in West Virginia? {#breach-notification}

**Short answer.** An individual or entity that owns or licenses computerized personal information must notify any West Virginia resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person — where the incident causes, or the entity reasonably believes it has caused or will cause, identity theft or other fraud — and the notice must be made without unreasonable delay [^stat-102a-notice]. A reportable *breach of the security of a system* is the unauthorized access and acquisition of unencrypted, unredacted computerized data that compromises personal information and leads the entity reasonably to believe identity theft or other fraud has resulted or will result [^stat-101-breach-def]. *Personal information* means a resident's first name or first initial and last name linked to a Social Security number, driver's license or state ID number, or a financial-account or card number with its required access code [^stat-101-pi-def]. If more than one thousand persons must be notified, the entity must also alert the nationwide consumer reporting agencies without unreasonable delay [^stat-102f-cra].

This is the one prong where West Virginia imposes a hard statutory duty, so it belongs at the center of any West Virginia incident-response plan. Two features narrow the trigger. First, the harm element: unlike a pure acquisition-based statute, West Virginia requires a reasonable belief that the breach has caused or will cause identity theft or other fraud before resident notice is due. Second, the encryption and redaction safe harbors: properly encrypted or redacted data generally falls outside the trigger — but notice is still required if encrypted information is acquired in unencrypted form or the incident involves someone with access to the encryption key [^stat-102b-encrypted]. The notice itself must describe the categories of information involved, give a contact point, and include the toll-free numbers and addresses of the major credit reporting agencies with fraud-alert and security-freeze information [^stat-102d-contents]. Notice may be delayed at a law-enforcement agency's direction while disclosure would impede an investigation [^stat-102e-delay]. Finally, there are deemed-compliance paths: an entity that follows its own breach-notification procedures under an information privacy or security policy consistent with the article's timing rules is deemed compliant when it notifies residents under those procedures [^stat-103a-safeharbor], and a financial institution that follows the federal interagency guidance — or an entity that follows its primary or functional regulator's rules — is likewise deemed compliant [^stat-103bc-regulator].

## Can a consumer sue your business in West Virginia over privacy? {#consumer-lawsuit}

**Short answer.** Not under the breach-notification article — the Attorney General has exclusive authority to bring an action for its violation [^stat-104b-ag-exclusive]. The WVCCPA is a different story. Any person who purchases or leases goods or services and suffers an ascertainable loss from an unfair or deceptive practice may sue in circuit court to recover actual damages or $200, whichever is greater [^stat-6106-pra]. Two significant limits apply: damages require proof of an actual out-of-pocket loss proximately caused by the violation [^stat-6106-outofpocket], and no WVCCPA action may be filed until 45 days after the consumer has sent the business a written, certified-mail notice of the alleged violation and its factual basis [^stat-5108-cure].

The practical shape of private privacy litigation in West Virginia follows from those two statutes. A consumer cannot sue for a late or missing breach notice itself — that claim belongs to the Attorney General alone — but a consumer who bought goods or services in reliance on a deceptive privacy promise (a privacy policy that misstates what data is collected or shared, for example) can frame a WVCCPA deceptive-practices claim, with the $200 statutory minimum available where actual damages are small. The right-to-cure machinery matters operationally: the pre-suit notice opens a 45-day window for the business to deliver a written cure offer, the limitations period is tolled while that window runs or the cure is being performed [^stat-5108-tolling], and a cure offer that is made, accepted, and performed is a complete defense [^stat-5108-defense]. A business served with a WVCCPA notice should treat the cure window as a genuine settlement opportunity — a timely cure offer also cuts off liability for the consumer's post-offer attorney fees and court costs unless the eventual award exceeds the offer's value [^stat-5108-fees]. Beyond the WVCCPA, plaintiffs in data-incident cases typically plead common-law theories such as negligence and breach of implied contract, which rise or fall on ordinary proof-of-injury and standing principles rather than any West Virginia privacy statute.

## How is privacy law enforced in West Virginia? {#ag-enforcement}

**Short answer.** By the Attorney General. A failure to comply with the breach-notification article's notice provisions constitutes an unfair or deceptive act under the WVCCPA, enforceable by the Attorney General under that chapter's enforcement provisions [^stat-104a-bridge]. The penalty structure is forgiving by design: no civil penalty may be assessed unless the court finds a course of repeated and willful violations, and no penalty may exceed $150,000 per breach or per series of similar breaches discovered in a single investigation [^stat-104-penalty]. Licensed financial institutions are carved out entirely — violations by them are enforceable exclusively by the institution's primary functional regulator [^stat-104c-fininst].

The enforcement picture for a West Virginia-facing privacy program therefore has three tiers. First, breach-notice failures: an Attorney General matter only, with civil-penalty exposure reserved for repeated and willful non-compliance and capped at $150,000 per breach or related series. Second, deceptive privacy practices generally: the Attorney General enforces the WVCCPA's deceptive-practices article, and consumers hold the parallel private action described in the previous answer, so a misleading privacy policy carries both public and private exposure. Third, the federal layer: the FTC enforces Section 5, GLBA, and COPPA against businesses in their scope, and HHS enforces HIPAA — none of which depends on West Virginia law. The operational takeaway is that West Virginia's own enforcement risk concentrates on two failure modes — not notifying after a qualifying breach, and saying things about your data practices that are not true — and a program that handles both has covered the state-law field as it stands today.



[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not West Virginia. This article synthesizes West Virginia primary law and is not legal advice from a West Virginia-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.

[^q1-stat-102a-duty]: **W. Va. Code § 46A-2A-102** — "An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-102(a).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-101-entity]: **W. Va. Code § 46A-2A-101** — "‘Entity’ includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit." *W. Va. Code § 46A-2A-101(2).* <https://code.wvlegislature.gov/46A-2A-101/>

[^stat-6104-udap]: **W. Va. Code § 46A-6-104** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful." *W. Va. Code § 46A-6-104.* <https://code.wvlegislature.gov/46A-6-104/>

[^stat-6101-purpose]: **W. Va. Code § 46A-6-101** — "The Legislature hereby declares that the purpose of this article is to complement the body of federal law governing unfair competition and unfair, deceptive and fraudulent acts or practices in order to protect the public and foster fair and honest competition." *W. Va. Code § 46A-6-101(1).* <https://code.wvlegislature.gov/46A-6-101/>

[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>

[^stat-6102-deception]: **W. Va. Code § 46A-6-102** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise or misrepresentation, or the concealment, suppression or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any goods or services, whether or not any person has in fact been misled, deceived or damaged thereby;" *W. Va. Code § 46A-6-102(7)(M).* <https://code.wvlegislature.gov/46A-6-102/>

[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>

[^stat-6101-ftc-guided]: **W. Va. Code § 46A-6-101** — "It is the intent of the Legislature that, in construing this article, the courts be guided by the policies of the Federal Trade Commission and interpretations given by the Federal Trade Commission and the federal courts to Section 5(a)(1) of the Federal Trade Commission Act (15 U. S. C. § 45(a)(1)), as from time to time amended, and to the various other federal statutes dealing with the same or similar matters." *W. Va. Code § 46A-6-101(1).* <https://code.wvlegislature.gov/46A-6-101/>

[^fed-glba-notice]: **GLBA Privacy Notice Requirement** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>

[^fed-coppa-notice]: **COPPA Notice and Parental-Consent Requirement** — "require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;" *15 U.S.C. § 6502(b)(1)(A).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=require%20the%20operator%20of%20any,of%20personal%20information%20from%20children%3B>

[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>

[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>

[^stat-102c-maintainer]: **W. Va. Code § 46A-2A-102** — "An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person." *W. Va. Code § 46A-2A-102(c).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-102a-notice]: **W. Va. Code § 46A-2A-102** — "An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection (e) of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay." *W. Va. Code § 46A-2A-102(a).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-101-breach-def]: **W. Va. Code § 46A-2A-101** — "‘Breach of the security of a system’ means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-101(1).* <https://code.wvlegislature.gov/46A-2A-101/>

[^stat-101-pi-def]: **W. Va. Code § 46A-2A-101** — "‘Personal information’ means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted: (A) Social security number; (B) Driver's license number or state identification card number issued in lieu of a driver's license; or (C) Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts." *W. Va. Code § 46A-2A-101(6).* <https://code.wvlegislature.gov/46A-2A-101/>

[^stat-102f-cra]: **W. Va. Code § 46A-2A-102** — "If an entity is required to notify more than one thousand persons of a breach of security pursuant to this article, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined by 15 U.S.C. §1681a (p), of the timing, distribution and content of the notices." *W. Va. Code § 46A-2A-102(f).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-102b-encrypted]: **W. Va. Code § 46A-2A-102** — "An individual or entity must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-102(b).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-102d-contents]: **W. Va. Code § 46A-2A-102** — "The notice shall include: (1) To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses or state identification numbers and financial data; (2) A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn: (A) What types of information the entity maintained about that individual or about individuals in general; and (B) Whether or not the entity maintained information about that individual. (3) The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze." *W. Va. Code § 46A-2A-102(d).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-102e-delay]: **W. Va. Code § 46A-2A-102** — "Notice required by this section may be delayed if a law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law-enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security." *W. Va. Code § 46A-2A-102(e).* <https://code.wvlegislature.gov/46A-2A-102/>

[^stat-103a-safeharbor]: **W. Va. Code § 46A-2A-103** — "An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system." *W. Va. Code § 46A-2A-103(a).* <https://code.wvlegislature.gov/46A-2A-103/>

[^stat-103bc-regulator]: **W. Va. Code § 46A-2A-103** — "A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article. (c) An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity's primary or functional regulator shall be in compliance with this article." *W. Va. Code § 46A-2A-103(b)-(c).* <https://code.wvlegislature.gov/46A-2A-103/>

[^stat-104b-ag-exclusive]: **W. Va. Code § 46A-2A-104** — "Except as provided by subsection (c) of this section, the Attorney General shall have exclusive authority to bring action." *W. Va. Code § 46A-2A-104(b).* <https://code.wvlegislature.gov/46A-2A-104/>

[^stat-6106-pra]: **W. Va. Code § 46A-6-106** — "Subject to subsection (b) of this section, any person who purchases or leases goods or services and thereby suffers an ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act, or practice prohibited or declared to be unlawful by the provisions of this article may bring an action in the circuit court of the county in which the seller or lessor resides or has his or her principal place of business or is doing business, or as provided for in §46A-1-1 and §46A-1-2 of this code, to recover actual damages or $200, whichever is greater." *W. Va. Code § 46A-6-106(a).* <https://code.wvlegislature.gov/46A-6-106/>

[^stat-6106-outofpocket]: **W. Va. Code § 46A-6-106** — "An award of damages in an action pursuant to subsection (a) of this section may not be made without proof that the person seeking damages suffered an actual out-of-pocket loss that was proximately caused by a violation of this article." *W. Va. Code § 46A-6-106(b).* <https://code.wvlegislature.gov/46A-6-106/>

[^stat-5108-cure]: **W. Va. Code § 46A-5-108** — "An action may not be brought pursuant to this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code until 45 days after the consumer has informed the creditor, debt collector, seller, or lessor in writing and by certified mail, return receipt requested, to the creditor’s, debt collector’s, seller’s, or lessor’s registered agent identified by the creditor, debt collector, seller, or lessor at the Office of the West Virginia Secretary of State or, if not registered with the West Virginia Secretary of State, then to the creditor’s, debt collector’s, seller’s, or lessor’s principal place of business, of the alleged violation and the factual basis for the violation." *W. Va. Code § 46A-5-108(a).* <https://code.wvlegislature.gov/46A-5-108/>

[^stat-5108-tolling]: **W. Va. Code § 46A-5-108** — "Any applicable statute of limitations is tolled for the 45-day period set forth in subsection (a) of this section or for the period the effectuation of the cure offer is being performed, whichever is longer." *W. Va. Code § 46A-5-108(c).* <https://code.wvlegislature.gov/46A-5-108/>

[^stat-5108-defense]: **W. Va. Code § 46A-5-108** — "Where an action is brought under this article or §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code, it is a complete defense that a cure offer was made, accepted, and the agreed upon cure was performed. If the court determines that the cure offer was accepted and the agreed upon cure performed, the creditor, debt collector, seller, or lessor is entitled to reasonable attorney’s fees and costs attendant to defending the action." *W. Va. Code § 46A-5-108(e).* <https://code.wvlegislature.gov/46A-5-108/>

[^stat-5108-fees]: **W. Va. Code § 46A-5-108** — "The creditor, debt collector, seller, or lessor is not liable for the consumer’s attorney’s fees and court costs incurred following delivery of the cure offer unless the actual damages, civil penalties, and any other monetary or equitable relief provided for under this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code are found to have been sustained and awarded, without consideration of attorney’s fees and court costs, exceed the value of the cure offer." *W. Va. Code § 46A-5-108(f).* <https://code.wvlegislature.gov/46A-5-108/>

[^stat-104a-bridge]: **W. Va. Code § 46A-2A-104** — "Except as provided by subsection (c) of this section, failure to comply with the notice provisions of this article constitutes an unfair or deceptive act of practice in violation of section one hundred four, article six, chapter forty-six-a of this code, which may be enforced by the Attorney General pursuant to the enforcement provisions of this chapter." *W. Va. Code § 46A-2A-104(a).* <https://code.wvlegislature.gov/46A-2A-104/>

[^stat-104-penalty]: **W. Va. Code § 46A-2A-104** — "No civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article. No civil penalty shall exceed $150,000 per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation." *W. Va. Code § 46A-2A-104(b).* <https://code.wvlegislature.gov/46A-2A-104/>

[^stat-104c-fininst]: **W. Va. Code § 46A-2A-104** — "A violation of this article by a licensed financial institution shall be enforceable exclusively by the financial institution's primary functional regulator." *W. Va. Code § 46A-2A-104(c).* <https://code.wvlegislature.gov/46A-2A-104/>