Information Covered / Important Definitions
Personal information of Kentucky residents.
[For NTPs (see below), definition also includes first name or first initial and last name, or personal mark, or unique biometric or genetic print or image, in combination with typical data elements or one or more of the following: (i) taxpayer ID number that incorporates a SSN, (ii) state ID card number or any other individual ID number issued by any agency, (iii) passport number or other ID number issued by the USG, (iv) or individually identifiable health information as defined in HIPAA (except education records covered by FERPA).]
“Security Breach” means unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the covered entity as part of a database regarding multiple individuals that actually causes, or leads the covered entity to reasonably believe has caused or will cause, identify theft or fraud against a Kentucky resident.
“Nonaffiliated Third Party (NTP)” means any person that has a contract or agreement with (and receives personal information from) a government agency, subdivision, instrumentality, or unit, including such institutions as a public school or public institute.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business entity that conducts business in Kentucky.
Also covered are NTP’s per KRS §61.931.
Third party recipients:
A covered entity that maintains or otherwise possesses personal information that the individual or commercial entity does not own must notify the owner or licensee of the information of any security breach as soon as reasonably practicable following discovery of security breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach in the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity does not have sufficient contact information.
- Notice only required by a security breach that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.
A covered entity that must notify more than 1,000 consumers at one time of a security breach is also required to promptly notify all consumer reporting agencies of the security breach.
A business disposing of customer records must take reasonable steps to destroy the records with personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or indecipherable.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted.
Exemption for good faith acquisition by an employee or agent of the covered entity for the purposes of the covered entity, so long as personal information is not used or subject to further unauthorized disclosure.
Kentucky statute does not apply to an individual or commercial entity that maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Kentucky statute.
Entities subject to the provisions of the GLBA are exempt.
Entities subject to the provisions of HIPAA are exempt.
Notification to Regulator / Waiver
[An NTP must notify its contracting agency or institution within 72 hours of determining that a breach occurred. The contracting agency or institution is responsible for notifying affected individuals.]
A determination of no likelihood of harm:
Does not require notification to attorney general.
Attorney general may seek equitable and/or legal remedies.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.