Kentucky Becomes 47th State With General Breach Notice Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

April 17 --Kentucky recently became the 47th state with a law requiring companies to provide notice to residents of the commonwealth whose information is breached.  

Gov. Steve Beshear (D) signed H.B. 223, which covers unencrypted or unredacted electronic personal information, into law April 10.

The same day, Beshear signed a separate bill (H.B. 5) requiring public agencies and their vendors to provide notice to affected individuals of breaches.

H.R. 223 also includes a student education data security provision.

Risk of Harm Trigger

H.B. 223 requires companies to notify affected individuals of unauthorized access to their personal information if there is actual identity theft or fraud or if the company reasonably believes the breach “has caused or will cause, identity theft or fraud.”

Companies that are subject to the data security and breach notice provisions of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act are exempt from the new law.

If the breach involves 1,000 or more Kentucky residents, the company must also notify the major credit reporting agencies of the breach.

Separate Public Sector Breach Bill

Under the new public sector breach notice law public agencies and their contractors are required to “notify persons impacted by security breaches,” as well as state oversight officials.

Agencies must “establish reasonable security and breach investigation procedures” and “include security and breach investigation procedures in contracts” with vendors.

Under the law, the state Department for Libraries and Archives is directed to establish data disposal and destruction procedures for records containing personal information and “establish procedures to protect against unauthorized access to personal information.”

The state legislative and judicial branches are also covered by the data security requirements.

Three States Don't Have Breach Law

Only Alabama, New Mexico and South Dakota don't have any type of data breach notice law.

As of April 14, no breach notice bill has been filed in Alabama. The South Dakota Legislature adjourned March 31 without a breach notice bill being filed. A bill in New Mexico passed the House (13 PVLR 326, 2/24/14), but the bill wasn't considered by the Senate before the Legislature adjourned in February.

Student Information Protection

H.B. 223 includes a separate provision regarding student information maintained by cloud computing service providers.

Under the new law, cloud computing service providers are prohibited from processing student data for “any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services” unless the company gets express parental permission.

H.B. 223 provides that a cloud computing service provider is prohibited under the new law from using or facilitating the use of student data for advertising purposes and from selling student data for any commercial purpose.

Cloud computing service providers may also assist in educational research consistent with the federal Family Educational Rights and Privacy Act.

Full text of H.B. 223, as amended, is available at

Full text of H.B. 5, as amended, is available at

Request Bloomberg Law Privacy and Data Security