Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of Breach Notification Laws:

- Up to $150,000 per breach

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to all consumer reporting agencies that compile and maintain files on a nationwide basis is required if more than 1,000 persons are affected by a breach of security, without unreasonable delay.
  • If any state residents are affected by a breach of security, the breached Organization must give notice without delay to each individual affected by the breach.
  • There is specifically defined information that must be included in the consumer notification.
  • Vendors must notify Organizations as soon as possible after discovery of a breach or suspected breach.
  • The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • Violations of the breach notification requirements constitutes an unfair or deceptive act of practice.
  • The Attorney General may bring an action to enforce repeated and willful violations of the breach requirements, with civil penalties assessed up to $150,000.
  • There are industry specific laws governing protection of personal data for health, insurance, and education.
Statutes and Laws
  • W. Va. Code §§ 46A-2A-101 – 46A-2A-105  Breach of Security of Consumer Information 
  • W. Va. Code §§ 33-6F-1 – 33-6F-2   Insurance / Disclosure of Non-Public Personal Information
  • W. Va. Code § 18-2-5h  Student Data Accessibility, Transparency and Accountability Act
  • W. Va. Code §§ 16-29G-1 and 16-29G-8  West Virginia Health Information Network/ Privacy; protection of information
BAck to map