Can I ignore my obligations as a service provider with access to personal information in West Virginia? What are the requirements?

Based on the context documents, you cannot ignore your obligations as a service provider with access to personal information in West Virginia. The West Virginia Code has specific requirements for the disclosure of nonpublic personal financial information, notice of breach of security of computerized personal information, and procedures deemed in compliance with security breach notice requirements.

Disclosure of Nonpublic Personal Health Information

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions to this requirement for the performance of insurance functions by or on behalf of the licensee ^[1.2].

Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions

The requirements for initial notice, opting out, and service providers and joint marketing do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes ^[1.4].

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

A licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice, an opt-out notice, and given the consumer a reasonable opportunity to opt out of the disclosure ^[1.6].

Notice of Breach of Security of Computerized Personal Information

An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state ^[2.1].

Therefore, you cannot ignore your obligations as a service provider with access to personal information in West Virginia. You must comply with the West Virginia Code’s requirements for the disclosure of nonpublic personal financial information, notice of breach of security of computerized personal information, and disclosure of nonpublic personal health information.

Source(s):

• [1.2] When Authorization Required for Disclosure of Nonpublic Personal Health Information.
• [1.4] Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions.
• [1.6] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.
• [2.1] Notice of breach of security of computerized personal information.

Jurisdiction

West Virginia

• Privacy