West Virginia Data Breach Notification Laws: Reporting Rules & Timelines (2026)
West Virginia's data breach notification law takes a comparatively narrow approach. Unlike states that have expanded their definitions to cover biometric data, medical records, and login credentials, West Virginia protects only the three most traditional categories of personal information. The law also lacks a fixed notification deadline, instead using the "without unreasonable delay" standard, and does not require any notification to state agencies.
The statute is codified at W.Va. Code 46A-2A-101 (definitions) through 46A-2A-105. Originally enacted in 2008, the law has not been significantly amended since its passage, making it one of the older and less updated breach notification statutes in the country.
For a broader look at West Virginia's privacy framework, see the parent guide to [West Virginia Data Privacy Laws](/us-laws/data-privacy-laws/west-virginia-data-privacy-laws).
Who Must Comply
West Virginia's breach notification law applies to any individual or entity that owns or licenses computerized data that includes personal information about West Virginia residents.
This covers businesses of all sizes, nonprofit organizations, and any other entity that maintains a database of personal information. There is no minimum size threshold or revenue requirement.
Third-party service providers are also covered. Any entity that maintains computerized data on behalf of another entity must notify the data owner or licensee when a breach is discovered. The data owner then bears responsibility for consumer notification.
Notably, the law applies to entities that maintain data "as part of a database of personal information regarding multiple individuals." This language suggests that an entity holding personal information about only a single individual may not be subject to the notification requirements.
What Qualifies as Personal Information
West Virginia's definition of personal information is among the narrowest in the country. Under 46A-2A-101, personal information means a resident's first name or first initial and last name combined with any one or more of the following unencrypted, unredacted data elements:
- Social Security number
- Driver's license number or state identification card number
- Financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the resident's financial accounts
That is the complete list. West Virginia does not include biometric data, medical records, health insurance information, passport numbers, military IDs, login credentials, or any of the other expanded categories that many states have adopted in recent years.
Personal information does not include information lawfully obtained from publicly available records or from federal, state, or local government records lawfully made available to the general public.
What Triggers the Notification Requirement
A "breach of the security of a system" under West Virginia law means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.
West Virginia imposes a dual trigger before notification is required:
-
Unauthorized access and acquisition: Both elements must be present. Mere unauthorized access without acquisition, or acquisition without unauthorized access, does not trigger the statute.
-
Risk of harm: The breach must cause the entity to "reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state."
This risk-of-harm analysis gives entities significant discretion. If an entity determines after investigation that a breach is unlikely to result in identity theft or fraud, notification is not required. However, the entity should document its analysis in case it is later questioned.
Good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
Notification Timeline
West Virginia requires notice "without unreasonable delay" following discovery or notification of the breach.
There is no specific day count. This open-ended standard is less prescriptive than states like Colorado (30 days) or Vermont (45 days), but it also provides less clarity for organizations trying to plan their incident response.
The statute does allow a reasonable delay for two purposes:
- Investigation: An entity may delay notification to take measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
- Law enforcement: If a law enforcement agency determines that notification will impede a criminal or civil investigation, or jeopardize national or homeland security, the entity may delay notification. Notice must be given without unreasonable delay after the agency determines notification will no longer compromise the investigation.
What the Consumer Notice Must Include
West Virginia's statute does not specify particular content requirements for breach notification letters. This is another area where the law is less prescriptive than most states.
However, the Federal Trade Commission recommends that breach notifications include:
- A description of the incident
- The type of personal information involved
- Steps the entity has taken
- Contact information for the entity
- Recommendations for the consumer (fraud alerts, credit freezes, credit monitoring)
- Contact information for the credit reporting agencies and the FTC
While not required by West Virginia law, following these best practices reduces litigation risk and demonstrates good faith.
No Attorney General Notification
West Virginia does not require notification to the Attorney General or any other state agency when a data breach occurs. This makes it one of a shrinking number of states that do not require government notification.
Consumer Reporting Agency Notification
If a breach requires notification to more than 1,000 West Virginia residents, the entity must also notify the nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) without unreasonable delay.
The notice to the credit bureaus must include the timing, distribution, and content of the consumer notification. The purpose is to prepare the agencies for an influx of fraud alert and credit freeze requests.
Methods of Notification
West Virginia allows notification through several methods:
- Written notice sent to the most recent postal address in the entity's records
- Telephonic notice (direct phone call)
- Electronic notice (email), if the entity has an email address for the consumer and the notice is consistent with federal requirements under the E-SIGN Act
Substitute Notice
West Virginia allows substitute notice when direct notification is not feasible. An entity may use substitute notice if it demonstrates that:
- The cost of providing direct notice would exceed $50,000
- The affected class exceeds 100,000 residents
- The entity does not have sufficient contact information
Substitute notice must include all three of the following: email notification (if email addresses are available), conspicuous posting on the entity's website, and notification to major statewide media.
Encryption Safe Harbor
West Virginia provides an encryption safe harbor. The notification requirements apply only to "unencrypted and unredacted" personal information. If the compromised data was encrypted or redacted at the time of the breach, notification is not required.
The statute defines "redact" as alteration or truncation of data such that no more than the last four digits of a Social Security number, driver's license number, state ID number, or account number is accessible.
Enforcement and Penalties
The West Virginia Attorney General has exclusive enforcement authority over the breach notification law. Violations are treated as unfair or deceptive acts or practices under the West Virginia Consumer Credit and Protection Act.
There is no private right of action. Individual consumers cannot sue directly for notification failures under this statute.
Penalties are subject to specific caps:
- No civil penalty may be assessed unless the court finds a course of repeated and willful violations
- Civil penalties cannot exceed $150,000 per breach or series of related breaches discovered in a single investigation
The $150,000 cap and the requirement to show repeated, willful conduct make West Virginia's penalty structure more lenient than most states. Single-incident failures, even if negligent, may not result in civil penalties.
More Virginia Laws
- Virginia Recording Laws
- Virginia Whistleblower Laws
- Virginia Data Privacy Laws
- Virginia Data Privacy Laws
- Virginia Data Privacy Laws
- Virginia Recording Laws
- Virginia Recording Laws
- Virginia Recording Laws
Sources and References
This article references West Virginia state statutes. Nothing in this article constitutes legal advice. Consult a licensed attorney in West Virginia for guidance on specific compliance obligations.
Sources and References
- W.Va. Code 46A-2A-101 Definitions(code.wvlegislature.gov).gov
- W.Va. Code 46A-2A-102 Notice of Breach(code.wvlegislature.gov).gov
- W.Va. Code 46A-2A-103 Substitute Notice(code.wvlegislature.gov).gov
- W.Va. Code Article 46A-2A Full Article(code.wvlegislature.gov).gov
- West Virginia Attorney General(ago.wv.gov).gov
- FTC Data Breach Response Guide(ftc.gov).gov