The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
State Data Breach Notification Statute
Covered Entities: An agency, person or business that owns or licenses computerized data that includes personal information.
Consumer Notification: Notification must be provided to residents whose “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Regulatory Notification: N/A
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay…”
Data Format: Electronic.
Citations: V.I. Code tit. 14, § 2208 (2019).
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
- Personal Information (PI): An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social Security number;
- Driver’s license number; or
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: N/A
- Good Faith: Notification is not required where personal information was acquired by an employee or agent, provided that the personal information is not used or subject to further unauthorized disclosure.
- Risk of Harm: N/A
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
- Timing: Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Format: N/A
- Content: N/A
- Method: Notification letters may be provided by one of the following methods:
- Written notice
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 7001 of Title 15 of the United States Code.
An entity may provide substitute notice is the entity demonstrates: (1) that the costs of providing notice would exceed $100,000, or (2) that the affected class of subject persons to be notified exceeds 50,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting of the notice of the entity’s Website page, if the entity maintains one; and (3) notification to major territory-wide media.
Credit Reporting Agencies Notice:
An entity that maintains computerized data that includes PI that the entity does not own must notify the owner or licensee of the information of any breach of PI immediately following discovery.
A person who suffered damages as a result of the violation may institute a civil action.