November 2023

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

The Constitution of West Virginia does not provide a general right to privacy.

2. KEY PRIVACY LAWS

2.1. Personal Information Breach Notification

West Virginia has enacted a personal information breach notification law, under §46A-2A-101 et seq. of Article 2A of Chapter 46A of the West Virginia Code ('W.V. Code') ('the Breach Notification Law'). The Breach Notification Law applies to an individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency or instrumentality, or any other legal entity, whether for profit or not for profit, that owns or licenses computerized data that includes personal information (§46A-2A-101(2) of the W.V. Code).

Under the Breach Notification Law, a covered entity must give notice of any breach of the security of the system following the discovery or notification of the breach of the security of the system to any resident of West Virginia whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause identity theft, or other fraud to any resident of West Virginia. The following definitions are key to understanding when the Breach Notification Law's notification obligations are triggered.

Breach of the security of a system: The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of West Virginia. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or is subject to further unauthorized disclosure (§46A-2A-101(1) of the W.V. Code).

Encrypted: The transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable (§46A-2A-101(3) of the W.V. Code).

Personal information: The first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of West Virginia, when the data elements are neither encrypted nor redacted (§46A-2A-101(6) of the W.V. Code):

• social security number;
• driver's license number or state identification card number issued in lieu of a driver's license; or
• financial account number, or credit card, or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial accounts.

The term does not include information that is lawfully obtained from publicly available information, or from federal, State, or local Government records lawfully made available to the general public (§46A-2A-101(6) of the W.V. Code).

Redact: Alteration or truncation of data such that no more than the last four digits of a social security number, driver's license number, state identification card number, or account number is accessible as part of the personal information (§46A-2A-101(8) of the W.V. Code).

Like most personal information breach notification laws, the Breach Notification Law allows notification to be delayed in certain circumstances. In particular, notification may be reasonably delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required under §46A-2A-102(e) of the W.V. Code must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security (§46A-2A-102(e) of the W.V. Code).

Notification to affected individuals must be provided in writing to the postal address in the records of the individual or entity, by telephone, or by electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures. Alternatively, substitute notice is allowed if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000 or that the affected class of residents to be notified exceeds 100,000 persons, or that the individual or the entity does not have sufficient contact information or to provide notice. Substitute notice consists of any two of the following (§46A-2A-101(7)(D) of the W.V. Code):

• email notice if the individual or the entity has the email addresses of the members of the affected class of residents;
• conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; or
• notice to a major statewide media.

Notification to the affected individuals must include the following (§46A-2A-102(d) of the W.V. Code):

• to the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses, or State identification numbers, and financial data;
• a telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn:
  • what types of information the entity maintained about that individual or about individuals in general; and
  • whether or not the entity maintained information about that individual; and
  • the toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.

If the notification is provided to more than 1,000 persons of a breach of security, the entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notices (§46A-2A-102(f) of the W.V. Code). The Breach Notification Law is enforced by the West Virginia Attorney General ('AG'), who may impose a civil penalty not to exceed $150,000 per breach.

In the event of a personal information breach, organizations are at risk of regulatory enforcement action. For e.g., the AG has joined multi-state enforcement actions, including the $5 million settlement with Community Health Systems, Inc. in 2020 (which includes $73,897 for West Virginia) and the Equifax settlement in 2019 (which included $2.4 million for West Virginia). In addition, entities are also at risk of civil litigation through West Virginia's general consumer protection laws (see §46A-6-101 et seq. of Article 6 of Chapter 46A of the W.V Code).

3. HEALTH DATA

3.1. Health Care Records

The West Virginia Health Care Records Law, codified under §16-29-1 et seq. of Article 29 of Chapter 16 of the W.V. Code, requires any licensed, certified, or registered health care provider, upon the written request of a patient or their personal representative to furnish a copy of their medical records, in the form of a paper or electronic copy within no more than 30 days from the receipt of the request. Such a request is subject to the following exceptions:

• in the case of a patient receiving treatment for psychiatric or psychological problems, a summary of the record must be made available to the patient, personal representative, or their authorized agent, or an authorized representative following termination of the treatment program; and
• the furnishing of a copy, as requested, of the reports of x-ray examinations, electrocardiograms, and other diagnostic procedures must be deemed to comply with the Health Care Records Law.

Notably, the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA') preempts the Health Care Records Law in the event of a conflict however, a State law that is more stringent than the HIPAA will typically apply (§16-29-1 of the W.V. Code).

3.2. AIDS-related Medical Testing and Records Confidentiality Act

The AIDS-Related Medical Testing and Records Confidentiality Act, codified under §16-3C-1 et seq. of Article 3C of Chapter 16 of the W.V. Code, prohibits any person from disclosing or being compelled to disclose the identity of any person upon whom an HIV-related test is performed, or the results of such a test in a manner which permits identification of the subject of the test, except to the following persons (§16-3C-3 of the W.V. Code):

• the subject of the test;
• the victim of the crimes of sexual abuse, sexual assault, incest, or sexual molestation at the request of the victim or the victim's legal guardian;
• any person who secures a specific release of test results executed by the subject of the test;
• a funeral director or an authorized agent or employee of a health facility or health care provider, if the funeral establishment, health facility, or health care provider itself is authorized to obtain the test results, the agent or employee provides patient care or handles or processes specimens of body fluids or tissues and the agent or employee has a need to know that information, provided that the funeral director, agent, or employee maintains the confidentiality of the information;
• licensed health care providers or appropriate health facility personnel providing care to the subject of the test;
• the U.S. Center for Disease Control and Prevention in accordance with reporting requirements for HIV and a diagnosed case of AIDS, or a related condition;
• a health facility or health care provider which procures, processes, distributes, or uses:
  • a human body part from a deceased person with respect to medical information regarding that person;
  • semen provided prior to the effective date of Article 3C for the purpose of artificial insemination;
  • blood or blood products for transfusion or injection; or
  • human body parts for transplant with respect to medical information regarding the donor or recipient;
• health facility staff committees or accreditation or oversight review organizations that are conducting program monitoring, program evaluation, or service reviews so long as any identity remains anonymous;
• claims management personnel employed by or associated with an insurer, health care service contractor, health maintenance organization, self-funded health plan, State-administered health care claims payer, or any other payer of health care claims, where the disclosure is to be used solely for the prompt and accurate evaluation and payment of medical or related claims; information released under this subsection is confidential and may not be released or made available to persons who are not involved in handling or determining medical claims payment;
• persons, health care providers, or health facilities engaging in or providing for the exchange of protected health information among the same in order to provide health care services to the patient, including, but not limited to, disclosure through a health information exchange, disclosure, and exchange within health care facilities, and disclosure for a permitted purpose, including disclosure to a legally authorized public health authority; and
• a person allowed access to the record by a court order.

Any person aggrieved by a violation of the AIDS-Related Medical Testing and Records Confidentiality Act has a right of action and may recover for the violation against any person who recklessly violates the AIDS-Related Medical Testing and Records Confidentiality Act, liquidated damages of $1,000 or actual damages, whichever is greater, or against any person who intentionally or maliciously violates a provision of Article 3C, liquidated damages of $10,000, or actual damages, whichever is greater. Such an aggrieved person must also be entitled to reasonable attorney fees and such other relief, including an injunction, as the court may consider appropriate.

4. FINANCIAL DATA

4.1. Security Freeze Rights

§46A-6L-103 of the Theft of Consumer Identity Protections, codified under §46A-6L-1-101 et seq. of Article 6L of Chapter 46A of the W.V. Code, provides that at any time a consumer is required to receive a summary of rights required under Section 609 of the Fair Credit Reporting Act of 1970 ('FCRA'), and the following notice must be given:

'West Virginia consumers have the right to obtain a security freeze.

You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law.

The security freeze will prohibit a consumer-reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer-reporting agency and provide all of the following:

• the unique personal identification number or password provided by the consumer-reporting agency;
• proper identification to verify your identity; and
• the period of time for which the report must be available to users of the credit report.

A consumer-reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report must comply with the request no later than three business days after receiving the request.

A security freeze does not apply to circumstances in which you have an existing account relationship, and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities.

If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.

You have the right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer-reporting agency.'

Under §46A-6L-104 of the W.V. Code, if a consumer-reporting agency negligently violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:

• notification within five business days following discovery or actual knowledge of the distribution of information, and such notification must include the specific information distributed to third-party and who the recipient of the information was;
• file a complaint with the Federal Trade Commission ('FTC') or the AG; and
• file a civil action against the consumer-reporting agency seeking:
  • injunctive relief;
  • actual damages sustained (not more than $1,000, if the violation is willful not more than $5,000); and
  • reasonable expenses, court costs, and attorney's fees.

5. EMPLOYMENT DATA

5.1. Employee's Social Media Accounts

§21-5H-1 of Article 5H of Chapter 21 of the W.V. Code provides that an employer must not do any of the following:

• request, require, or coerce an employee or a potential employee to disclose a username, password, or any other authentication information that allows access to the employee or potential employee's personal account;
• request, require, or coerce an employee or a potential employee to access the employee or the potential employee's personal account in the presence of the employer; or
• compel an employee or potential employee to add the employer or an employment agency to their list of contacts that enable the contacts to access a personal account.

Nothing in §21-5H-1 of the W.V. Code prevents an employer from:

• accessing information about an employee or potential employee that is publicly available;
• complying with applicable laws, rules, or regulations;
• requiring an employee to disclose a username or password or similar authentication information for the purpose of accessing:
  • an employer-issued electronic device; or
  • an account or service provided by the employer, obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes;
• conducting an investigation or requiring an employee to cooperate in an investigation, although the employer may require an employee to share the content that has been reported to make a factual determination, if the employer has specific information about an unauthorized transfer of the employer's proprietary information, confidential information, or financial data, to an employee's personal account;
• prohibiting an employee or potential employee from using a personal account during employment hours, while on employer time, or for business purposes; or
• requesting an employee to share specific content regarding a personal account for the purposes of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct.

If an employer inadvertently receives the username, password, or any other authentication information that would enable the employer to gain access to the employee or potential employee's personal account through the use of an otherwise lawful technology that monitors the employer's network or employer-provided electronic devices for network security or data confidentiality purposes, then the employer is not liable for having that information, unless the employer:

• uses that information, or enables a third party to use that information, to access the employee or potential employee's personal account; or
• after the employer becomes aware that that information was received, does not delete the information as soon as is reasonably practicable, unless that information is being retained by the employer in connection with an ongoing investigation of an actual or suspected breach of the computer, network, or data security. Where an employer knows or, through reasonable efforts, should be aware that its network monitoring technology is likely inadvertently to receive such information, the employer must make reasonable efforts to secure that information.

Nothing in §21-5H-1 of the W.V. Code diminishes the authority and obligation of an employer to investigate complaints, allegations, or the occurrence of sexual, racial, or other harassment as provided in the W.V. Code. Under §21-5H-1 of the W.V. Code, 'personal account' means an account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer.

5.2. Employee References

§55-7-18a of Article 7 of Chapter 55 of the W.V. Code shields any employer from civil liability for providing a new prospective employer with adverse or damaging information pertaining to the current or former employee. There is a presumption that the employer is acting in good faith so long as the information they provide to a prospective employer is also provided to an employee in writing at the time of the disclosure. The presumption of good faith may be rebutted upon the showing, by a preponderance of the evidence, that the information disclosed was:

• knowingly false;
• disclosed with reckless disregard for the truth;
• deliberately misleading;
• rendered with malicious purpose toward the former or current employee; or
• disclosed in violation of a nondisclosure agreement or applicable law.

If an employer provides a prospective employer with false or misleading information, upon the employee's request, the employer must give corrected information to all parties that were provided with the false or misleading information.

5.3. Employee Monitoring

§55-7-18a of the W.V. Code prohibits an employer from using an electronic surveillance device or system for the purpose of recording or monitoring the activities of the employees in areas designated for the health or personal comfort of the employees. These places include, but are not limited to, shower rooms, locker rooms, dressing rooms, and employee lounges. Violations of §55-7-18a of the W.V. Code are considered a misdemeanor and subject to a $500 fine. Subsequently, a second offense carries a $1,000 fine, and a third offense, a $2,000 fine.

Liability may be imposed on employees for listening to employees' conversations at work. In the case of Bowyer v. Hi-Lad, Inc., 216 W.V. 634, 609 S.E.2d 895, 2004 W.V. LEXIS 197, the court imposed liability on an employer for listening to employee conversations by using hidden microphones in the work area.

6. ONLINE PRIVACY

West Virginia does not have any specific laws pertaining to online privacy and online behavioral advertising. 

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

7.1. Unauthorised Electronic Messages

The Electronic Mail Protection Act, codified under §46A-6G-1 et seq. of Article 6G of Chapter 46A of the W.V. Code, prohibits any person from transmitting an unauthorized electronic message with the intent to deceive and defraud, or a bulk electronic mail message from a computer located in West Virginia or to an electronic mail address that the sender knows, or has reason to know is held by a West Virginia resident that (§46-A-6G-2 of the W.V. Code):

• uses a third party's internet domain name without the permission of the third party, or otherwise misrepresents any information in identifying the point of origin or the transmission path of a commercial electronic mail message;
• contains false or misleading information in the subject line;
• does not clearly provide the date and time the message is sent, the identity of the person sending the message, and the return electronic mail address of that person; or
• contains 'sexually explicit materials', which are defined as a visual depiction, in actual or simulated form, or an explicit description in a predominately sexual context, nudity, human genitalia, or any act of natural or unnatural sexual intercourse.

A violation entitles an injured party to seek equitable and monetary relief (§46A-6G-5(b) and (c) of the W.V. Code). The recipient of an unauthorized bulk electronic message may recover for actual damages resulting from the injury sustained. In lieu of actual damages, §46A-6G-5(b) of the W.V. Code permits a minimum damage assessment of $1,000 for violations. Punitive damages are permitted for an individual's willful failure to cease initiating bulk electronic messages. In addition to monetary damages, the injured party may seek to enjoin the sender of unauthorized bulk electronic messages and, at the discretion of the court, be awarded reasonable attorney fees.

Any interactive computer service provider or public utility injured as a result of a violation of §46A-6G-2 of the W.V. Code may seek monetary relief. Such monetary relief that may be sought by service includes but is not limited to, actual damages in the form of loss of profits and attorney fees. In lieu of actual damages, providers may seek statutory damages in the amount of $10 for each and every violation.

7.2. Telemarketing Solicitation

§§46A-6F-501 to 601 under the Telemarketing Act, codified under §46A-6F-101 et seq. of Article 6F of Chapter 46A of the W.V. Code prohibit telemarketers from engaging in unfair, deceptive, or abusive acts or practices ('UDAAP'). Pursuant to §§46A-6F-501 to 601 of the W.V. Code, UDAAP violations include, but are not limited to:

• advertising or representing that registration as a telemarketer equals endorsement by the State;
• engaging in any unfair deceptive conduct which will create a likelihood of confusion;
• engaging in unfair methods of competition;
• initiating outbound calls to a person who previously stated their wish not to receive calls; and
• engaging in telemarketing to a person's residence at any time other than between 8 AM and 9 PM.

The telemarketing provision of West Virginia Consumer Credit and Protection Act, codified under Chapter 46A of the W.V. Code, applies to those persons who, by any means, initiate or receive telephone calls to or from a customer in West Virginia for the purpose of making a telemarketing solicitation (§46A-6F-113(a) of the W.V. Code). Under §46A-6F-112(a) of the W.V. Code, the solicitation includes communication between a telemarketer and a prospective purchaser for the purpose of selling or attempting to sell the purchaser any consumer goods or services. §46A-6F-201 to 46A-6F-220 of the W.V. Code includes numerous exemptions for persons or entities that would otherwise fall within the definition of a telemarketer.

Pursuant to §46A-6F-301 of the W.V. Code, no person should act as a telemarketer without first registering with the secretary of the Department of Tax and Revenue. The application must be made at least 60 days prior to offering consumer goods or services. Applications for renewal must be made on an annual basis thereafter, and §46A-6F-302 of the W.V. Code prescribes that the application must be accompanied by a continuing surety bond executed by a corporation that is licensed in West Virginia. Additionally, the bond must be certified before a telemarketer is permitted to conduct business. Failing to meet the registration requirements will subject the telemarketer to a $5,000 fine, levied by the Department of Tax and Revenue (§46A-6F-303 of the W.V. Code).

§46A-6F-410 of the W.V. Code requires that a telemarketer promptly disclose, in a clear and conspicuous manner:

• the true identity of the telemarketer;
• the purpose of the call is to sell consumer goods or services; and
• the nature of the goods or services offered for sale.

If goods or services are requested by a consumer, before the consumer pays, the telemarketer must disclose the quantity, price, and all material aspects of the transaction detailed in §§46A-6F-401(b)(1) to (7) of the W.V. Code. With regard to sales made, §46A-6F-402 of the W.V. Code requires that telemarketers have an accepting returns or cancelling services policy in place. The policy, must at least, allow for seven days from the date of delivery for the consumer the ability to seek a refund in cash or issuing credit for the purpose. The policy must be disclosed to the consumer orally or via writing. Failing to comply with these requirements is considered as an unfair deceptive act or practice.

A violation by any telemarketer entitles an individual to initiate an action for monetary damages or equitable relief through an injection. Such monetary damages allowed include actual damages suffered and statutory damages of not less than $100 and no more than $1,000 (§46A-6F-701(a) of the W.V. Code). In addition to allowable monetary damages, any sale or lease of consumer goods or services in connection with the violation is void, and the consumer is not required to pay any principal or finance charges. In the instance that the consumer has paid part or all of the cost of goods or services, they are entitled to recover such payments (§46A-6F-701(b) of the W.V. Code).

§§46A-6F-601(a) and (b) of the W.V. Code provide a safe harbor for telemarketers if they have:

• established and implemented written procedures to avoid outbound telephone calls to persons who have previously stated that that they do not wish to receive such calls;
• trained all of its personnel in such established procedures;
• maintained and recorded lists of persons who have previously stated that they did not wish to receive calls; and
• any violating calls are a result of subsequent error.

§46A-6F-503 of the W.V. Code provides a prohibition on individuals operating a criminal recovery service. An individual is said to be operating a criminal recovery service when the person:

• makes a representation that they will recover all or any portion of the consideration that a consumer has paid to a telemarketer in response to a telemarketing solicitation;
• does not intend to make such recovery or has no reasonable expectation to anticipate that recovery will be made; and
• receives any remuneration from the consumer before a recovery of consideration is made.

Pursuant to §46A-6F-503 of the W.V. Code, any person who violates this provision is guilty of a felony and subject to a prison sentence of not less than one year and no more than 10 years. Additionally, a fine of not more than $5000 will be imposed.

8. PRIVACY POLICIES

Currently, West Virginia does not have specific privacy laws or policies. Many of the laws discussed in this Guidance Note include privacy policy requirements, but there is no exclusive law mandating or detailing the applicable standards for such policies. For e.g., West Virginia's law governing privacy rights and procedures applicable to insurers provides that no insurer should disclose non-public information of its policyholders unless a specific exemption applies. Such failure on behalf of the insurer to adhere to the privacy requirement subjects them to a $500 penalty and reasonable attorney's fees (see Chapter 33 of the W.V. Code).

§16-29G-1 et seq. of Article 29G of Chapter 16 of the W.V. Code provides that healthcare providers must ensure that patient-specific protected health information may be disclosed only in accordance with patient authorization of best interests.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

West Virginia does not have specific data disposal or cybersecurity laws. However, numerous provisions touch on disposal, data security, and what to do in the case of a data breach. For example, §46A-6F-304 of the W.V. Code, requires telemarketers to keep records produced in telemarketing activities for four years.

The Uniform Electronic Transactions Act, codified under §39A-1-1 et seq. of Article 1 of Chapter 39A of the W.V. Code, seeks to facilitate electronic transactions consistent with other applicable laws. If a particular the Uniform Electronic Transactions Act requires that a record be retained, the requirement must be satisfied by retaining a record of the information that accurately reflects the information in the record after it was generated, and it must remain accessible for later reference (§39A-1-12(a) of the W.V. Code).

9.1. Data Breach

Pursuant to §46A-2A-102(a) of the W.V. Code, West Virginia imposes a duty on individuals or entities that own or license computerized data, which includes personal information, to provide notice of breach of its security system. Upon discovery of a breach, notice is required to be provided to all West Virginia residents without unreasonable delay. Sufficient notice must include (§46A-2A-102(d) of the W.V. Code):

• to the extent possible, a description of the categories of information that were believed to be compromised;
• a telephone number or website address that the individual may use to contact the entity or agent of the entity to learn of what information may have been compromised, and whether the entity maintained specific information of the individual; and
• the toll-free telephone numbers and addresses for major credit reporting agencies and information on how to place a fraud alert or security freeze on accounts.

In the instance that a data breach puts more than 1,000 individuals at risk, the entity, in addition to notifying all affected parties, must notify all consumer reporting agencies. Failure to maintain applicable notice requirements is considered an unfair or deceptive act or practice in violation of this provision and may be enforced by the AG (§46A-2A-104(b) of the W.V. Code). Individuals harmed by failure to provide applicable notice have no right to civil remedies unless a court determines that such violations were repeated and willful. In the instance that a court allows an individual to bring a cause of action, such damages are capped at $150,000 per breach of a system or closely related series of breaches.

9.2. Cyber Security Program

§§5A-6B-1 to 6 of Article 6B of Chapter 5A of the W.V. Code established the West Virginia Cybersecurity Office ('the W.V. Cybersecurity Office'), which operates within the West Virginia Office of Technology. The W.V. Cybersecurity Office is under the supervision and control of the Chief Information Security Officer ('CISO'), who must be appointed by the Chief Technology Officer ('CTO') (§5A-6B-3(a) of the W.V. Code). Overall, the CISO is tasked with developing policies, procedures, and standards necessary to establish an effective cybersecurity program for West Virginia Agencies and officials. More particularly, the CISO will conduct cybersecurity risk assessments, provide guidance to particular State agencies and officials, and assist with the implementation of the cybersecurity framework (§5A-6B-3(b)(1) to (11) of the W.V. Code).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

10.1. Student Records and Personal Information

The Student Data Accessibility, Transparency, and Accountability Act, codified under §18-2-5H of Article 2 of Chapter 18 of the W.V. Code, provides numerous privacy protections for students, including but not limited to, restricting transfer and disclosure of student records that contain confidential information, requiring schools to develop privacy plans, and ensuring that all applicable institutions comply with the federal Family Education Rights and Privacy Act of 1974 ('FERPA').

A school district must not report to the State the following individual student data (§18-2-5H of the W.V. Code):

• juvenile delinquency records;
• criminal records;
• medical and health records; and
• student biometric information.

Schools shall not collect the following individual student data (§18-2-5H of the W.V. Code):

• political affiliation and beliefs;
• religion and religious beliefs and affiliations;
• any data collected through affective computing;
• any data concerning the sexual orientation or beliefs about the sexual orientation of the student or any student's family member; and
• any data concerning firearm's ownership by any member of a student's family.

The State Superintendent must appoint a data governance manager, who must report to and be under the general supervision of the State Superintendent. The data governance manager must have the primary responsibility of privacy policy, including (§18-2-5H of the W.V. Code):

• assuring that the use of technologies sustains and do not erode, privacy protections relating to the use, collection, and disclosure of student data;
• assuring that student data contained in the student data system is handled in full compliance with the Student Data Accessibility, Transparency, and Accountability Act, FERPA, and other State and federal privacy laws;
• evaluating legislative and regulatory proposals involving the collection, use, and disclosure of student data by the West Virginia Department of Education;
• conducting a privacy impact assessment on proposed rules of the state board and department in general and on the privacy of student data, including the type of personal information collected and the number of students affected;
• coordinating with the general counsel of the state board and department, other legal entities, and organization officers to ensure that programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner;
• preparing a report to the West Virginia Legislature on an annual basis on activities of the department that affect privacy, including complaints of privacy violations, internal controls, and other matters;
• establishing department-wide policies necessary for implementing Fair Information Practice Principles to enhance privacy protections;
• working with the Office of Data Management and Analysis, general counsel, and other officials in engaging with stakeholders about the quality, usefulness, openness, and privacy of data;
• establishing and operating a department-wide Privacy Incident Response Program to ensure that incidents are properly reported, investigated, and mitigated, as appropriate;
• establishing and operating a process for parents to file complaints of privacy violations;
• establishing and operating a process to collect and respond to complaints of privacy violations and provide redress, as appropriate; and
• providing training, education, and outreach to build a culture of privacy across the department and transparency to the public.

The data governance manager must have access to all records, reports, audits, reviews, documents, papers, recommendations, and other materials available to the department that relate to programs and operations with respect to their responsibilities under this Section and must make investigations and reports relating to the administration of the programs and operations of the department as are necessary or desirable.

Under §18-2-5h(g) of the W.V. Code parents have the right to inspect and review their child's education record maintained by the school and to request student data specific to their child's educational record. School districts must provide parents or guardians with a copy of their child's educational record upon request. Whenever possible, an electronic copy of the educational record must be provided if requested and the identity of the person requesting the information is verified as the parent or guardian.

Pursuant to §18-2-5h(g)(1)-(7) of the W.V. Code, the State Board must develop guidance for school district policies that:

• annually notify parents of their right to request student information;
• ensure security when providing student data to parents;
• ensure student data is provided only to the authorized individuals;
• detail the timeframe within which record requests must be provided;
• ensure that school districts have a plan to allow parents to view and access data specific to their child's educational record and that any electronic access provided is restricted to eligible parties;
• ensure compliance in the collection, use, and disclosure of directory information and providing parents or guardians with a form to limit the information concerning their child in directory and subject to release; and
• informing parents of their rights and the process for filing complaints of privacy violations.

Upon the effective date of this Section, any existing student data collected by the Department of Education must not be considered a new student data collection under this Section.