WEST VIRGINIA LEGISLATURE
2024 REGULAR SESSION
ENROLLED
Committee Substitute for House Bill 5338
BY DELEGATES LINVILLE, CANNON, YOUNG, W. CLARK,
BUTLER, WARD, HILLENBRAND, BROOKS, ADKINS,
HANSHAW (MR. SPEAKER), AND CHIARELLI
[Passed March 9, 2024; in effect January 1, 2025.]
Enr CS for HB 5338
1 AN ACT to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article,
2 designated §31A-8H-1, §31A-8H-2, §31A-8H-3, §31A-8H-4, and §31A-8H-5, all relating
3 to providing an affirmative legal defense to certain types of businesses against certain
4 types of lawsuits claiming that the business failed to implement reasonable cybersecurity
5 protections and that as a result, a data breach of personal information or restricted
6 information occurred if the business creates, maintains, and complies with a written
7 cybersecurity program that contains administrative, technical, operational, and physical
8 safeguards for the protection of personal information as set forth in this act; defining terms;
9 describing the requirements of the cybersecurity program; construction of article; clarifying
10 no private cause of action provided by article; and providing immunity in certain
11 circumstances to certain institutions of higher education in this state that offer a
12 cybersecurity assessment program as part of an undergraduate or graduate program
13 relating to cybersecurity to any business in the state.
Be it enacted by the Legislature of West Virginia:
ARTICLE 8H. SAFE HARBOR FOR CYBERSECURITY PROGRAMS.
§31A-8H-1. Definitions.
1 As used in this article:
2 (1) "Business" means any limited liability company, limited liability partnership,
3 corporation, sole proprietorship, association, or other group, however organized and whether
4 operating for profit or not for profit, including a financial institution or bank holding company
5 organized, chartered, or holding a license authorizing operation under the laws of this state, any
6 other state, the United States, or any other country, or the parent or subsidiary of any of the
7 foregoing.
8 "Business" does not include any body, authority, board, bureau, commission, district, or
9 agency of the state or of any political subdivision of the state.
1
Enr CS for HB 5338
10 (2) "Contract" means the total legal obligation resulting from the parties’ agreement as
11 affected by this article and other applicable law.
12 (3) "Covered entity" means a business that accesses, maintains, communicates, or
13 processes personal information or restricted information in or through one or more systems,
14 networks, or services located in or outside this state.
15 (4) "Data breach" means unauthorized access to and acquisition of computerized data
16 that compromises the security or confidentiality of personal information or restricted information
17 owned by or licensed to a covered entity and that causes, reasonably is believed to have caused,
18 or reasonably is believed will cause a material risk of identity theft or other fraud to person or
19 property. "Data breach" does not include either of the following:
20 (A) Good faith acquisition of personal information or restricted information by the covered
21 entity’s employee or agent for the purposes of the covered entity provided that the personal
22 information is not used for an unlawful purpose or subject to further unauthorized disclosure;
23 (B) Acquisition of personal information pursuant to a search warrant, subpoena, or other
24 court order, or pursuant to a subpoena, order, or duty of a regulatory state agency.
25 (5) "Distributed ledger technology" means an electronic ledger or other record of
26 transactions or other data to which all of the following apply:
27 (A) The electronic ledger is uniformly ordered.
28 (B) The electronic ledger is redundantly maintained or processed by more than one
29 computer or machine to guarantee the consistency or nonrepudiation of the recorded transactions
30 or other data.
31 (6) "Electronic record" means a record created, generated, sent, communicated, received,
32 or stored by electronic means.
33 (7) "Encryption" means the use of an algorithmic process to transform data into a form in
34 which there is a low probability of assigning meaning without use of a confidential process or key.
35 (8) "Individual" means a natural person.
2
Enr CS for HB 5338
36 (9)(A) "Personal information" means any information relating to an individual who can be
37 identified, directly or indirectly, in particular by reference to an identifier such as a name, an
38 identification number, social security number, driver’s license number or state identification card
39 number, passport number, account number, or credit or debit card number, precise location data,
40 biometric data, an online identifier, or to one or more factors specific to the physical, physiological,
41 genetic, mental, economic, cultural, or social identity of that individual.
42 (B) "Personal information" does not include publicly available information that is lawfully
43 made available to the general public from federal, state, or local government records or any of
44 the following media that are widely distributed:
45 (i) Any news, editorial, or advertising statement published in any bona fide newspaper,
46 journal, or magazine, or broadcast over radio, television, or the internet.
47 (ii) Any gathering or furnishing of information or news by any bona fide reporter,
48 correspondent, or news bureau to news media identified in this paragraph.
49 (iii) Any publication designed for and distributed to members of any bona fide association
50 or charitable or fraternal nonprofit business.
51 (iv) Any type of media similar in nature to any item, entity, or activity identified in this
52 paragraph.
53 (10) "Record" means information that is inscribed on a tangible medium or that is stored
54 in an electronic or other medium and is retrievable in perceivable form.
55 (11) "Redacted" means altered or truncated so that no more than the last four digits of a
56 social security number, driver’s license number, state identification card number, passport
57 number, account number, or credit or debit card number is accessible as part of the data.
58 (12) "Smart contract" means an electronic record that is an event-driven program or
59 computerized transaction protocol that runs on a distributed, decentralized, shared, and replicated
60 ledger that executes the term of a contract, including but not limited to, taking custody over and
61 instructing the transfer of assets.
3
Enr CS for HB 5338
62 (13) "Transaction" means a sale, trade, exchange, transfer, payment, or conversion of
63 virtual currency or other digital asset or any other property or any other action or set of actions
64 occurring between two or more persons relating to the conduct of business, commercial, or
65 governmental affairs.
§31A-8H-2. Affirmative defenses.
1 (a) A covered entity seeking an affirmative defense under this chapter shall do at least
2 one of the following:
3 (1) Create, maintain, and comply with a written cybersecurity program that contains
4 administrative, technical, operational, and physical safeguards for the protection of personal
5 information and that reasonable conforms to an industry recognized cybersecurity framework, as
6 described in §31A-8H-3; or
7 (2) Create, maintain, and comply with a written cybersecurity program that contains
8 administrative, technical, and physical safeguards for the protection of both personal information
9 and restricted information and that reasonably conforms to an industry recognized cybersecurity
10 framework, as described in §31A-8H-3.
11 (b) A covered entity’s cybersecurity program shall be designed to do all of the following
12 with respect to the personal information described in division (a)(1) or (2) of this section, as
13 applicable:
14 (1) Protect the security and confidentiality of the personal information;
15 (2) Protect against any anticipated threats or hazards to the security or integrity of the
16 personal information;
17 (3) Protect against unauthorized access to and acquisition of the personal information that
18 is likely to result in a material risk of identity theft or other fraud to the individual to whom the
19 personal information relates.
20 (c) The scale and scope of a covered entity's cybersecurity program under division (A) (1)
21 or (2) of this section, as applicable, is appropriate if it is based on all of the following factors:
4
Enr CS for HB 5338
22 (1) The size and complexity of the covered entity;
23 (2) The nature and scope of the activities of the covered entity;
24 (3) The sensitivity of the information to be protected;
25 (4) The cost and availability of tools to improve information security and reduce
26 vulnerabilities;
27 (5) The resources available to the covered entity.
28 (d) (1) A covered entity that satisfies subsections (a)(1),(b), and (c) of this section is
29 entitled to an affirmative defense to any cause of action sounding in tort that is brought under the
30 laws of this state or in the courts of this state and that alleges that the failure to implement
31 reasonable information security controls resulted in a data breach concerning personal
32 information.
33 (2) A covered entity that satisfies subsections (a)(2), (b), and (c) of this section is entitled
34 to an affirmative defense to any cause of action sounding in tort that is brought under the laws of
35 this state or in the courts of this state and that alleges that the failure to implement reasonable
36 information security controls resulted in a data breach concerning personal information or
37 restricted information.
38 A covered entity satisfies all requirements of this section if its cybersecurity program
39 reasonably conforms to an industry-recognized cybersecurity framework, as described in §31A-
40 8H-3 of this code.
§31A-8H-3. Cybersecurity program framework.
1 (a) A covered entity’s cybersecurity program, as described in section §31A-8H-2 of this
2 code, reasonably conforms to an industry-recognized cybersecurity framework for purposes of
3 this article if the cybersecurity program meets any of the following three requirements as
4 applicable:
5
Enr CS for HB 5338
5 (1)(A) The cybersecurity program reasonably conforms to the current version of any of the
6 following or any combination of the following, subject to paragraph (B) of this subdivision and
7 subsection (b) of this section:
8 (i) The framework for improving critical infrastructure cybersecurity developed by the
9 national institute of standards and technology.
10 (ii) National institute of standards and technology special publication 800-171.
11 (iii) National institute of standards and technology special publications 800-53 and 800-
12 53a.
13 (iv) National institute of standards and technology special publication 800-76-1.
14 (v) The federal risk and authorization management program security assessment
15 framework.
16 (vi) The center for internet security critical security controls for effective cyber defense.
17 (vii) The international organization for standardization/international electrotechnical
18 commission 27000 family — information security management systems.
19 (viii) The Cybersecurity Maturity Model Certification at a minimum of Level 2 with external
20 certification.
21 (B) When a final revision to a framework listed in paragraph (A) is published, a covered
22 entity whose cybersecurity program reasonably conforms to that framework shall reasonably
23 conform the elements of its cybersecurity program to the revised framework within the time frame
24 provided in the relevant framework upon which the covered entity intends to rely to support its
25 affirmative defense, but in no event later than one year after the publication date stated in the
26 revision.
27 (2)(A) The covered entity is regulated by the state, by the federal government, or both, or
28 is otherwise subject to the requirements of any of the laws or regulations listed below, and the
29 cybersecurity program reasonably conforms to the entirety of the current version of any of the
30 following, subject to paragraph (B) of this subdivision:
6
Enr CS for HB 5338
31 (i) The security requirements of the federal Health Insurance Portability and Accountability
32 Act of 1996, as set forth in 45 C.F.R. pt. 164, subpt. C.
33 (ii) Title V of the federal Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as
34 amended.
35 (iii) The federal Information Security Modernization Act of 2014, Pub. L. No. 113-283.
36 (iv) The federal Health Information Technology for Economic and Clinical Health Act as
37 set forth in 45 C.F.R. pt. 162.
38 (v) Any applicable rules, regulations, or guidelines for critical infrastructure protection
39 adopted by the federal environmental protection agency, the federal cybersecurity and
40 infrastructure security agency, or the north American reliability corporation.
41 (B) When a framework listed in paragraph (A) of this subdivision is amended, a covered
42 entity whose cybersecurity program reasonably conforms to that framework shall reasonably
43 conform the elements of its cybersecurity program to the amended framework within the time
44 frame provided in the relevant framework upon which the covered entity intends to rely to support
45 its affirmative defense, but in no event later than one year after the effective date of the amended
46 framework.
47 (3)(A) The cybersecurity program reasonably complies with both the current version of the
48 payment card industry data security standard and conforms to the current version of another
49 applicable industry-recognized cybersecurity framework listed in subdivision (a)(1) of this section,
50 subject to paragraph (B) of this subdivision and subsection (b) of this section.
51 (B) When a final revision to the payment card industry data security standard is published,
52 a covered entity whose cybersecurity program reasonably complies with that standard shall
53 reasonably comply the elements of its cybersecurity program with the revised standard within the
54 time frame provided in the relevant framework upon which the covered entity intends to rely to
55 support its affirmative defense, but not later than the effective date for compliance.
7
Enr CS for HB 5338
56 (b) If a covered entity’s cybersecurity program reasonably conforms to a combination of
57 industry-recognized cybersecurity frameworks and two or more of those frameworks are revised,
58 the covered entity whose cybersecurity program reasonably conforms to or complies with, as
59 applicable, those frameworks shall reasonably conform the elements of its cybersecurity program
60 to or comply with, as applicable, all of the revised frameworks within the time frames provided in
61 the relevant frameworks but in no event later than one year after the latest publication date stated
62 in the revisions.
§31A-8H-4. Limitation on private right of action.
1 This article shall not be construed to provide a private right of action, including a class
2 action, with respect to any act or practice regulated therein.
§31A-8H-5. Security assessments; limitation on liability.
1 (a) Any institution of higher education in this state may offer a cybersecurity
2 assessment program as part of an undergraduate or graduate program relating to
3 cybersecurity to any business in the state.
4 (b) An institution of higher education in this state, or any employee or student thereof,
5 offering a cybersecurity assessment program shall be immune from civil liability that arises
6 from the failure of a covered entity to conform to the provisions of this article.
8
Enr CS for HB 5338
The Clerk of the House of Delegates and the Clerk of the Senate hereby certify that the foregoing bill is correctly enrolled.
...............................................................
Clerk of the House of Delegates
...............................................................
Clerk of the Senate Originated in the House of Delegates.
In effect January 1, 2025.
...............................................................
Speaker of the House of Delegates
...............................................................
President of the Senate __________
The within is ................................................ this the...........................................
Day of ..........................................................................................................., 2024.
.............................................................