Security Breach Legislation in the State of Kentucky

February 25, 2022 | 4 minutes read
Security Breach Legislation in the State of Kentucky

KRS § 365.732, KRS §§ 61.931 to 61.934 is a security breach notification law that was passed in the U.S. state of Kentucky in 2014 and went into effect the following year. As is the case with other security breach notification legislation at the U.S. state level, KRS § 365.732, KRS §§ 61.931 to 61.934 establishes the protocol that businesses within the state are charged with following should a security breach occurs. With this said, KRS § 365.732, KRS §§ 61.931 to 61.934 represent the foremost means by which residents of the state of Kentucky can protect their personal information from security breaches.

How is a security breach defined under KRS § 365.732, KRS §§ 61.931 to 61.934?

Under KRS § 365.732, KRS §§ 61.931 to 61.934, a security breach is defined as “the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity as part of a database regarding multiple individuals that actually causes, or leads the Entity to believe has caused or will cause, identity theft or fraud against any Kentucky resident.” Alternatively, “the good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used or subject to further unauthorized disclosures.”

What are the security breach notification obligations?

Under KRS § 365.732, KRS §§ 61.931 to 61.934, business entities within the state of Kentucky are required to provide notification to all affected parties should a data breach occur. Notably, the law also places additional requirements on “non-affiliated third parties (NTP) of state and municipal government agencies and public educational institutions that receive or collect and maintain personal information from the agencies and institutions pursuant to a contract.” Additionally, in the event that a security breach affects more than 1,000 residents within Kentucky, the business entity that experienced the breach is also responsible for notifying the three major consumer credit reporting agencies in the U.S.

What personal information a covered?

Under KRS § 365.732, KRS §§ 61.931 to 61.934, the following categories of personal information are legally protected should a data breach occur, in combination with a Kentucky resident’s first name and first initial and last name, in instances where the following data elements have not been redacted:

What’s more, the law also protects certain categories of personal information that may be held by non-affiliated third parties or NTPs, state and municipal government agencies, and public educational institutions. To this point, the following categories of personal information are also protected under the law, in combination with “an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:”

Through the provisions of KRS § 365.732, KRS §§ 61.931 to 61.934, the personal information of residents within the state of Kentucky is legally protected should a data or security breach occur. Moreover, as the law applies to both private and public entities within the state, residents of Kentucky can also have the peace of mind that their personal information is being protected in all facets of society. To this end, many other states around the country will also likely extend the level of coverage that is provided to American citizens as it relates to security breaches and in turn, personal privacy.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Arizona’s Proposed New Law on Public Records Requests
March 13, 2023 | 7 minutes read
Arizona’s Proposed New Law on Public Records Requests

A Bit of History The date February 14th might stand out to most of us, and if you haven’t figured out why, it’s because it is the anniversary of Arizona’s Statehood. Over 100 years ago, Arizona became the 48th state to be admitted into the United States. Since governance is as old as human history, […]

Learn More »