The Kentucky General Assembly has enacted a new law regarding data breaches (H.B. 232), making it the 47th state to have a data breach notification law. The new laws will take effect on July 15, 2014.
The new law applies to any person or business conducting business in Kentucky that is not otherwise governed by Title V of the Gramm-Leach-Bliley Act (“GLBA”) or the Health Insurance Portability and Accountability Act (“HIPAA”). The law covers unencrypted unredacted computerized “personally identifiable information,” which is defined as an individual’s first name and (a) a driver’s license number, (b) bank or credit card account number, or (c) social security number.
The duty to notify under the new law is triggered when unencrypted unredacted computerized data is acquired in an unauthorized fashion, thereby compromising the security of an individual’s personally identifiable information. After discovering a breach, the information holder must notify any Kentucky resident whose personally identifiable information is reasonably believed to have been acquired by an unauthorized person. The effected individual(s) must be contacted in writing without “unreasonable delay.” While the information holder is not required to notify the Kentucky Attorney General, if more than 1,000 persons are affected by the discloser, the information holder must notify consumer reporting agencies.
For businesses, the new law highlights the importance of (i) encrypting electronic data; and (ii) maintaining policies and procedures regarding data security and the investigation of security breaches, and training employees on such policies and procedures.