Virgin Islands
State Data Breach Notification Statute
Highlights
Covered Entities: An agency, person or business that owns or licenses computerized data that includes personal information.
Consumer Notification: Notification must be provided to residents whose “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Regulatory Notification: N/A
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay…”
Data Format: Electronic.
Citations: V.I. Code tit. 14, § 2208 (2019).
More Details
Definitions:
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
- Personal Information (PI):
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social Security number;
- Driver’s license number; or
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: N/A
- Good Faith: Notification is not required where personal information was acquired by an employee or agent, provided that the personal information is not used or subject to further unauthorized disclosure.
- Risk of Harm: N/A
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
Direct Notice:
- Timing: Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Format: N/A
- Content: N/A
- Method: Notification letters may be provided by one of the following methods:
- Written notice
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 7001 of Title 15 of the United States Code.
Substitute Notice:
An entity may provide substitute notice is the entity demonstrates: (1) that the costs of providing notice would exceed $100,000, or (2) that the affected class of subject persons to be notified exceeds 50,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting of the notice of the entity’s Website page, if the entity maintains one; and (3) notification to major territory-wide media.
Remediation Services:
N/A
Regulatory Notice:
N/A
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
An entity that maintains computerized data that includes PI that the entity does not own must notify the owner or licensee of the information of any breach of PI immediately following discovery.
HIPAA:
N/A
Private Action:
A person who suffered damages as a result of the violation may institute a civil action.
Associated Regulations:
N/A
