Last week, Kentucky governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. The law requires companies that suffer a data breach to provide notice of the breach to Kentucky residents “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Importantly, the notice requirement is triggered only by an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud.” The law defines “personally identifiable information” as “an individual’s first name or first initial and last name” in combination with any of the following information:
- The individual’s Social Security Number;
- The individual’s driver’s license number; or
- The individual’s account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to the individual’s financial account.
The required notice must be provided “in the most expedient time possible and without unreasonable delay,” although notification “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” The law allows for either written or electronic notice. Certain types of substitute notice—such as posting on the company’s website—are permitted if the cost of providing notice would exceed $250,000, if there are more than 500,000 affected individuals, or if the company does not have sufficient contact information.