Kentucky Security Breach
KRS § 365.732
SUMMARY:
EFFECTIVE. July 15, 2014
WHO DOES THIS LAW APPLY TO. “Information holder” means any person or entity that conducts business in the state.
WHAT IS A BREACH. An unauthorized acquisition of unencrypted or unredacted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by the entity which causes or is reasonably likely to cause identity theft or fraud against any Kentucky resident.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when not redacted:
-
Social Security Number.
-
Driver’s license number, state I.D. card number, or other I.D. number issued by state.
-
Account number, credit card number or debit card number in combination with any security code, access code, or password that would permit access to the individual’s financial account.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Kentucky residents. If more than 1,000 individuals at a single time are involved in the security breach, notice must be given without unreasonable delay as defined in the Fair Credit Reporting Act, 15 U.S.C. § 1681a, of the timing, distribution, and content of the notices, to all consumer credit reporting agencies. Private entities do not have an obligation to notify any state authority.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the entity for internal purposes only is not a breach, if it is not used for, or subject to, further unauthorized disclosure.
-
Own Breach Notification Policy exception. An entity which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section, if it notifies the affected individuals in accordance with its policies.
-
Compliance with Other Laws exception. The provisions of this section and the requirements for nonaffiliated THIRD-PARTIES in KRS Chapter 61 shall not apply to any entity who is subject to the provisions of: (1) Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended, or (2) the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, as amended, or (3) any Kentucky agency or any of its local governments or political subdivisions.
WHEN TO NOTIFY OF THE BREACH. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, or any measures necessary to determine the nature and scope of the breach, to prevent any further disclosures and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation. In that instance, notification will be made following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the entity can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the entity has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the entity, if an internet site is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If an entity maintains computerized data that includes Personal Information that it does not own, then the entity shall notify the owner or licensee of the information upon discovery of a breach as reasonably practicable following discovery if the Personal Information was acquired by an unauthorized person.
If the breach involves a non-affiliated third-party, the contracting agency must notify the Attorney General within 72 hours of being notified by the non-affiliated third-party. Private entities do not have an obligation to notify any state regulatory authority.
CONSEQUENCES FOR FAILING TO NOTIFY. None stated.
PRIVATE RIGHT OF ACTION. Yes. A civil action may be filed to recover actual damages resulting from failure to disclose in a timely manner to any resident that has had their PI breached.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. KRS § 365.725. When a business disposes of, other than by storage, any customer's records that are not required to be retained, the business shall take reasonable steps to destroy, or arrange for the destruction of, that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.
LEGISLATIVE UPDATES.
H.B. 232 – Signed into law 4/10/2014, Effective 7/15/2014.
H.B. 5 – Signed into law 4/10/2014, Effective 1/1/2015.
For more information, see here: https://apps.legislature.ky.gov/law/statutes/chapter.aspx?id=39074
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.