What are the legal requirements for data breach notification?

In West Virginia, businesses that own or license personal information must inform each individual whose personal information was exposed in a data breach. Personal information includes an individual’s first name or first initial and last name in combination with any of the following data: Social Security number; driver’s license number or state-issued identification card number; or financial account number, credit or debit card number in combination with any security code, access code, or password that would permit access to an individual’s financial account. When a data breach occurs, impacted individuals must be notified as soon as possible. The notification must include the estimated date of the breach, a description of the types of personal information that were accessed and used, a description of the steps that the individual should take to protect themselves, and contact information for the business or person responsible for the breach. All notifications must be in writing or through substitute notice by email, text message, or other available communication technology. Businesses must also notify the West Virginia Attorney General if the breach affects 500 or more residents of West Virginia. The notification must include the number of affected individuals, the type of information breached, a description of how the breach occurred, and the steps the business has taken to address the breach. Notification letters must be sent to the Office of the West Virginia Attorney General within 45 days of the data breach.

What are the legal requirements for data breach notification?

Related FAQs

Related Blog Posts