HB 232 enacts general data breach notification requirements for any person or business that conducts business in Kentucky, called “information holders,” and is not limited to those who contract with governmental agencies. HB 232 does not apply to banks, health care providers or others who are subject to Gramm-Leach-Bliley or HIPAA. It also does not apply to any agency of Kentucky government, local government or subdivision. For the full text of HB 232, please click here and select "SCS."
The following are some highlights of this law:
- Notification Triggers. Beginning July 15, 2014, you will need to notify affected Kentucky residents if (i) you suffer a data breach of electronically stored personally identifiable information; (ii) the information is not encrypted or redacted; (iii) you believe that the information has been or is likely to result in fraud or identity theft.
- Personally identifiable information is defined as an individual’s first name or first initial and last name in combination with one of the following:
- social security number;
- driver’s license number; or
- account number, credit or debit card number in combination with any required security code, access code or password to permit access to an individual’s financial account.
- Notice is required following discovery or notification of the breach in the security to any Kentucky resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure is to be made in the most expedient time possible and without unreasonable delay, consistent with the needs of law enforcement.
- Required notification methods are set forth in the new statute. In the alternative, if the information holder has notification procedures as part of an information security policy for the treatment of personally identifiable information that are otherwise consistent with the timing requirements of the new law, the holder shall be deemed to be in compliance if notification is made in accordance with the holder’s own procedures.
- If more than 1,000 persons must be notified at one time, then the person shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that maintain files on consumers on a national basis.
- Data usage restrictions were implemented for cloud computing service providers providing services to any public, private or school administrative unit serving students in grades K-12.