Can I avoid having a data breach response plan in West Virginia? What are the requirements?

Data Breach Response Plan Requirements in West Virginia

In West Virginia, entities that maintain personal information are required to have a data breach response plan in place ^[1.1]. The plan must include notification procedures that are consistent with the timing requirements of the West Virginia Code and must be in compliance with the notification requirements of the West Virginia Code ^[1.1].

An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of the West Virginia Code shall be deemed to be in compliance with the notification requirements of the West Virginia Code if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system ^[1.1].

A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the West Virginia Code ^[1.1].

An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the entity’s primary or functional regulator shall be in compliance with the West Virginia Code ^[1.1].

Therefore, if an entity maintains its own notification procedures that are consistent with the timing requirements of the West Virginia Code, it can be deemed to be in compliance with the notification requirements of the West Virginia Code. However, financial institutions and entities that comply with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the entity’s primary or functional regulator are also in compliance with the West Virginia Code.

Exemptions

The West Virginia Cybersecurity Office is applicable to all state agencies, excluding higher education institutions, the State Police, state constitutional officers identified in §6-7-2 of this code, the Legislature and the Judiciary ^[2.1].

Source(s):

• [1.1] Procedures deemed in compliance with security breach notice requirements.
• [2.1] West Virginia Cybersecurity Office; scope; exemptions.

Jurisdiction

West Virginia

• Privacy