Attorney Publications

KY Rev. Stat. §365.732

H.B. 232 (signed into law April 10, 2014)

Effective July 15, 2014

H.B. 5 (signed into law April 10, 2014)

Effective January 1, 2015


Application. "Information holder" defined as any person or business entity that conducts business in the state (collectively, Entity). Specific notification obligations also apply to "non-affiliated third parties" (NTP) of state and municipal government agencies and public educational institutions that receive or collect and maintain personal information from the agencies and institutions pursuant to a contract.

Security Breach Definition. The unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity as part of a database regarding multiple individuals that actually causes, or leads the Entity to believe has caused or will cause, identity theft or fraud against any Kentucky resident.

  • Good faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used or subject to further unauthorized disclosures.

Notification Obligation.

  • Any Entity to which the statute applies must, upon discovery or notification of breach in the security system, notify any Kentucky resident whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person.
  • In the case of an NTP's security system breach, the contracting agency or institution must notify the Attorney General within 72 hours of being notified by the NTP. Private entities do not have an obligation to notify any state regulatory authority.

Notification to Consumer Reporting Agencies.

If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution, and content of the notices.

Third-Party Data Notification.

  • An Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the data as soon as reasonably practicable following discovery, if the PI was or is reasonably believed to have been acquired by an unauthorized person.
  • An NTP, upon discovery or notification of breach in the security system, must notify its contracting agency or institution in the most expedient time possible and without unreasonable delay, within 72 hours of determining that a breach occurred. (NTPs following federal law or regulation regarding breach investigation and notice may satisfy this obligation by providing a copy of any federally required reports or investigations to the contracting agency or institution.) The contracting agency or institution bears the responsibility of notifying any affected individuals.

Timing of Notification.

  • Notice should occur in the most expedient time possible and without unreasonable delay, subject to the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • NTP's notice should occur in the most expedient time possible and without unreasonable delay, within 72 hours of determining that a breach occurred.

Personal Information Definition. An individual's first name or first initial and last name in combination with one or more of the following data elements when the name or data element is not redacted:

  • Social Security Number;
  • Driver license number; or
  • Account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

For NTPs, “personal information” means an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:

  • An account number, credit card number, or debit card number, that, in combination with any required security code, access code, or password, would permit access to an account;
  • A Social Security number;
  • A taxpayer identification number that incorporates a Social Security number;
  • A driver's license number, state identification card number, or other individual identification number issued by any agency;
  • A passport number of other identification number issued by the United States government; or
  • Individually identifiable health information as defined in 45 C.F.R. § 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g.

Obligations under these statutes apply only to unencrypted, unredacted computerized data.

Notice Required. Notice may be provided by one of the following methods:

  • Written notice;
  • Electronic notice, if the notice is provided consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available. If the Entity can demonstrate that the cost of providing notice would exceed $250,000, that the number of individuals to be notified exceeds 500,000, or that they do not have sufficient contact information for those affected. Substitute notice shall consist of all of the following:

  • E-mail notification if the Entity has e-mail addresses for the affected individuals;
  • Conspicuous posting regarding the incident on the Entity's website, if the Entity maintains a website; and
  • Notification to major statewide media.

Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI, and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section, if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

Exception: Compliance with Other Laws.

  • Gramm-Leach-Bliley Act; Federal Health Insurance Portability and Accountability Act; Kentucky agency, local governments or political subdivisions. The provisions of this statute and the requirements for nonaffiliated third parties in KRS Chapter 61 shall not apply to any Entity subject to the provisions of Title V of the Gramm-Leach-Bliley Act, the federal Health Insurance Portability and Accountability Act, any Kentucky agency, or any Kentucky local governments or political subdivisions.

Other Key Provisions:

  • Delay for Law Enforcement.
    • Entity's notice may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.
    • NTP's notice to its contracting agency may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be given to the contracting agency as soon as reasonably feasible.

Kentucky Board of Education Regulation. The Kentucky Board of Education may promulgate administrative regulations in accordance with KRS Chapter 13A as necessary to carry out the requirements of this section.