CHAPTER 46A. WEST VIRGINIA CONSUMER CREDIT AND PROTECTION ACT.

ARTICLE 2A. BREACH OF SECURITY OF CONSUMER INFORMATION.

§46A-2A-101. Definitions.

As used in this article:

(1) "Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

(2) "Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit.

(3) "Encrypted" means transformation of data through the use of an algorithmic process to into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable.

(4) "Financial institution" has the meaning given that term in Section 6809(3), United States Code Title 15, as amended.

(5) "Individual" means a natural person.

(6) "Personal information" means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:

(A) Social security number;

(B) Driver's license number or state identification card number issued in lieu of a driver's license; or

(C) Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

(7) "Notice" means:

(A) Written notice to the postal address in the records of the individual or entity;

(B) Telephonic notice;

(C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, set forth in Section 7001, United States Code Title 15, Electronic Signatures in Global and National Commerce Act.

(D) Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000 or that the affected class of residents to be notified exceeds one hundred thousand persons or that the individual or the entity does not have sufficient contact information or to provide notice as described in paragraph (A), (B) or (C). Substitute notice consists of any two of the following:

(i) E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents;

(ii) Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; or

(iii) Notice to major statewide media.

(8) "Redact" means alteration or truncation of data such that no more than the last four digits of a social security number, driver's license number, state identification card number or account number is accessible as part of the personal information.

Bill History For §46A-2A-101