Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in West Virginia? What are the requirements?

Use of Third-Party Cloud Storage Services in West Virginia

Yes, you can use third-party cloud storage services that collect personal information in West Virginia, but you must ensure that you comply with the state’s privacy laws. The West Virginia Code § 114-57-10 sets limits on the disclosure and use of nonpublic personal financial information by licensees.

Licensees may disclose nonpublic personal financial information to nonaffiliated third parties only under certain exceptions, such as sections 13 and 14 of the rule [1.1]. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in sections 13 or 14, the third party may disclose and use that information only as permitted by law [1.1].

Therefore, if you plan to use a third-party cloud storage service that collects personal information, you must ensure that the disclosure and use of that information comply with the exceptions in sections 13 and 14 of the rule [1.1]. Additionally, you must ensure that the third-party cloud storage service provider enters into a contractual agreement with you that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information [1.4].

Requirements for Records Storage

If you plan to store records containing personal information in a records center, you must ensure that you comply with the West Virginia Code § 148-14-5. All records retired to the Records Center should be packed in standard records storage cartons. All records should be organized, boxed, and filed as required by the State Records Center. All records retired to the Records Center shall have an adequate description for the records contained in each carton and a retention period clearly identified.

Information to be Included in Privacy Notices

If you are a licensee in West Virginia and you plan to use third-party cloud storage services that collect personal information, you must provide privacy notices to your customers that comply with the West Virginia Code § 114-57-5. The privacy notices must include the categories of nonpublic personal financial information that you collect and disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, and an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties.

Authorization Required for Disclosure of Nonpublic Personal Health Information

If you plan to disclose nonpublic personal health information about a consumer or customer, you must obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed, unless an exception applies [1.2].

Other Exceptions to Notice and Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information

There are several exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information, such as disclosures made with the consent or at the direction of the consumer, to protect the confidentiality or security of a licensee’s records, to protect against or prevent actual or potential fraud or unauthorized transactions, and to comply with federal, state or local laws [1.3].

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

Licensees may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless certain requirements are met, such as providing the consumer with an initial notice and opt-out notice, giving the consumer a reasonable opportunity to opt out of the disclosure, and obtaining the consumer’s consent [1.5].

Conditions for Disclosure of Directory Information

An educational agency or institution may disclose personally identifiable information from the education records of a student who is in attendance at the institution or agency if it has given notice that information has been designated as directory information [3.1].

In summary, you can use third-party cloud storage services that collect personal information in West Virginia, but you must ensure that you comply with the state’s privacy laws. You must ensure that the disclosure and use of that information comply with the exceptions in sections 13 and 14 of the rule, and that the third-party cloud storage service provider enters into a contractual agreement with you that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information. Additionally, you must ensure that you comply with the requirements for records storage and provide privacy notices to your customers that comply with the West Virginia Code § 114-57-5. If you plan to disclose nonpublic personal health information about a consumer or customer, you must obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed, unless an exception applies. There are several exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information, and licensees may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless certain requirements are met. An educational agency or institution may disclose personally identifiable information from the education records of a student who is in attendance at the institution or agency if it has given notice that information has been designated as directory information.

Source(s):
Jurisdiction

West Virginia