Last week, Kentucky governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. The law requires companies that suffer a data breach to provide notice of the breach to Kentucky residents “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Importantly, the notice requirement is triggered only by an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.” The law defines “personally identifiable information” as “an individual’s first name or first initial and last name” in combination with any of the following information:
- The individual’s Social Security Number;
- The individual’s driver’s license number; or
- The individual’s account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to the individual’s financial account.
The required notice must be provided “in the most expedient time possible and without unreasonable delay,” although notification “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” The law allows for either written or electronic notice. Certain types of substitute notice—such as posting on the company’s website—are permitted if the cost of providing notice would exceed $250,000, if there are more than 500,000 affected individuals, or if the company does not have sufficient contact information.
In addition to creating data breach notification requirements, the new law also establishes limits regarding the use and disclosure of student data by “cloud computing service providers.” Specifically, the new law prohibits cloud service providers from:
- Processing student data “for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services” without express parental permission;
- Disclosing student data to third parties for advertising purposes; and
- Selling, disclosing or otherwise processing student data for any commercial purpose.
Data breach notification standards are already in place in 46 other states as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. Only Alabama, New Mexico, and South Dakota have not yet passed breach notification laws.