Security Breach Legislation in the State of Kentucky
KRS § 365.732, KRS §§ 61.931 to 61.934 is a security breach notification law that was passed in the U.S. state of Kentucky in 2014 and went into effect the following year. As is the case with other security breach notification legislation at the U.S. state level, KRS § 365.732, KRS §§ 61.931 to 61.934 establishes the protocol that businesses within the state are charged with following should a security breach occurs. With this said, KRS § 365.732, KRS §§ 61.931 to 61.934 represent the foremost means by which residents of the state of Kentucky can protect their personal information from security breaches.
How is a security breach defined under KRS § 365.732, KRS §§ 61.931 to 61.934?
Under KRS § 365.732, KRS §§ 61.931 to 61.934, a security breach is defined as “the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity as part of a database regarding multiple individuals that actually causes, or leads the Entity to believe has caused or will cause, identity theft or fraud against any Kentucky resident.” Alternatively, “the good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used or subject to further unauthorized disclosures.”
What are the security breach notification obligations?
Under KRS § 365.732, KRS §§ 61.931 to 61.934, business entities within the state of Kentucky are required to provide notification to all affected parties should a data breach occur. Notably, the law also places additional requirements on “non-affiliated third parties (NTP) of state and municipal government agencies and public educational institutions that receive or collect and maintain personal information from the agencies and institutions pursuant to a contract.” Additionally, in the event that a security breach affects more than 1,000 residents within Kentucky, the business entity that experienced the breach is also responsible for notifying the three major consumer credit reporting agencies in the U.S.
What personal information a covered?
Under KRS § 365.732, KRS §§ 61.931 to 61.934, the following categories of personal information are legally protected should a data breach occur, in combination with a Kentucky resident’s first name and first initial and last name, in instances where the following data elements have not been redacted:
- Social security numbers.
- Drivers license numbers.
- Account numbers and credit and debit card numbers, as well as any required passwords, access codes, or security codes that could be used to gain entry to an individual’s account.
What’s more, the law also protects certain categories of personal information that may be held by non-affiliated third parties or NTPs, state and municipal government agencies, and public educational institutions. To this point, the following categories of personal information are also protected under the law, in combination with “an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:”
- Account numbers and credit and debit card numbers, as well as any required passwords, access codes, or security codes that could be used to gain entry to an individual’s account.
- Social security numbers.
- Taxpayer identification numbers that incorporate social security numbers.
- Driver’s license numbers and state identification card numbers, as well as any other identification numbers that may be issued by a state agency within Kentucky.
- Passport numbers, as well as other identification numbers that may be issued by the U.S. federal government.
- “Individually identifiable health information as defined in 45 C.F.R. § 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g.”
Through the provisions of KRS § 365.732, KRS §§ 61.931 to 61.934, the personal information of residents within the state of Kentucky is legally protected should a data or security breach occur. Moreover, as the law applies to both private and public entities within the state, residents of Kentucky can also have the peace of mind that their personal information is being protected in all facets of society. To this end, many other states around the country will also likely extend the level of coverage that is provided to American citizens as it relates to security breaches and in turn, personal privacy.