April 17 --Kentucky recently became the 47th state with a law requiring companies to provide notice to residents of the commonwealth whose information is breached.
Gov. Steve Beshear (D) signed H.B. 223, which covers unencrypted or unredacted electronic personal information, into law April 10.
The same day, Beshear signed a separate bill (H.B. 5) requiring public agencies and their vendors to provide notice to affected individuals of breaches.
H.R. 223 also includes a student education data security provision.
H.B. 223 requires companies to notify affected individuals of unauthorized access to their personal information if there is actual identity theft or fraud or if the company reasonably believes the breach “has caused or will cause, identity theft or fraud.”
Companies that are subject to the data security and breach notice provisions of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act are exempt from the new law.
If the breach involves 1,000 or more Kentucky residents, the company must also notify the major credit reporting agencies of the breach.
Under the new public sector breach notice law public agencies and their contractors are required to “notify persons impacted by security breaches,” as well as state oversight officials.
Agencies must “establish reasonable security and breach investigation procedures” and “include security and breach investigation procedures in contracts” with vendors.
Under the law, the state Department for Libraries and Archives is directed to establish data disposal and destruction procedures for records containing personal information and “establish procedures to protect against unauthorized access to personal information.”
The state legislative and judicial branches are also covered by the data security requirements.
Only Alabama, New Mexico and South Dakota don't have any type of data breach notice law.
As of April 14, no breach notice bill has been filed in Alabama. The South Dakota Legislature adjourned March 31 without a breach notice bill being filed. A bill in New Mexico passed the House (13 PVLR 326, 2/24/14), but the bill wasn't considered by the Senate before the Legislature adjourned in February.
H.B. 223 includes a separate provision regarding student information maintained by cloud computing service providers.
Under the new law, cloud computing service providers are prohibited from processing student data for “any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services” unless the company gets express parental permission.
H.B. 223 provides that a cloud computing service provider is prohibited under the new law from using or facilitating the use of student data for advertising purposes and from selling student data for any commercial purpose.
Cloud computing service providers may also assist in educational research consistent with the federal Family Educational Rights and Privacy Act.
Full text of H.B. 223, as amended, is available at http://op.bna.com/pl.nsf/r?Open=dapn-9j9pa4.
Full text of H.B. 5, as amended, is available at http://op.bna.com/pl.nsf/r?Open=dapn-9j6pxg.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).