Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can you summarize WVCO Chapter 5A, Article 6C?

DEPARTMENT OF ADMINISTRATION. > WEST VIRGINIA CYBER INCIDENT REPORTING.

Short Summary

This legal document found in the West Virginia Code under the Department of Administration pertains to the reporting of qualified cybersecurity incidents. It applies to all state agencies within the executive branch, constitutional officers, all local government entities, county boards of education, the Judiciary, and the Legislature. The document states that qualified cybersecurity incidents must be reported to the Cybersecurity Office before any citizen notification, but no later than 10 days after determining that the entity experienced a qualifying cybersecurity incident. A qualified cybersecurity incident is defined as meeting at least one of the following criteria: (1) state or federal law requires reporting to regulatory or law enforcement agencies or affected citizens, (2) the ability of the entity to conduct business is substantially affected, or (3) the incident would be classified as emergency, severe, or high by the U.S. Cybersecurity and Infrastructure Security Agency. The report to the Cybersecurity Office must include the approximate date and discovery date of the incident, the nature of any illegally obtained or accessed data, and a list of regulatory agencies to whom notice has been or will be provided. The procedure for reporting cybersecurity incidents will be established by the Cybersecurity Office and disseminated to the entities listed in 5A-6C-2 of the code. Additionally, the Cybersecurity Office is required to provide an annual report to the Joint Committee on Government and Finance containing the number and nature of incidents reported during the preceding calendar year. The report should also include recommendations on security standards or mitigation that should be adopted.

Whom does it apply to?

All state agencies within the executive branch, constitutional officers, all local government entities, county boards of education, the Judiciary, and the Legislature

What does it govern?

Reporting of qualified cybersecurity incidents

What are exemptions?

No exemptions are mentioned.

What are the Penalties?

No specific penalties are mentioned.

Jurisdiction

West Virginia

Source
WVCO Chapter 5A, Article 6C [https://reggi.cloud.regology.com/regulations/US-WVCO/US-WVCO_C_5A_SC_6C]