Kentucky Creates Stronger Data Breach Reporting Requirements

By Christine Kern, contributing writer

Two new laws outline notification of affected parties in wake of breaches

In the wake of the Target data breach in 2013, Kentucky lawmakers have created new notification policies so that citizens receive timely notice when credit card and other sensitive data is stolen.

Data breaches in Kentucky are now governed by two laws that outline how affected parties will be notified if their information has been compromised.

House Bill 5 and House Bill 232, signed last month by Kentucky Gov. Steve Beshear, serve to strengthen data breach reporting requirements for the public and private sectors, respectively. The measures officially took effect April 10. 

HB 5 and HB 232 require agencies that have experienced a data breach to alert the Kentucky State Police, auditor of public accounts, attorney general, Kentucky Department of Education or the Council on Postsecondary Education, depending on the public entity involved. A time period to alert those individuals impacted by the breach isn't mandated by the bills, however.

The only significant amendment to HB 5 was to remove language that would have impeded those agencies already saddled with security and reporting requirements of the Health Insurance Portability and Accountability Act (HIPAA). Representatives of hospitals and health associations were concerned that they might be double-regulated and worked with Butler and other legislators to adjust the measures.

H.B. 232 was designed to address the compromise of personally identifiable information of residents of the Bluegrass State and requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.

The new law serves as a reminder for entities conducting business in Kentucky to manage the risk of breach and the subsequent notice by including the following in their security management program:

• Either redact or do not maintain highly sensitive data elements in databases
• Encrypt security codes, access codes, passwords, and personally identifiable information itself whenever possible
• As part of the organization’s information security policies
  • Provide policies for the handling of personal information and for further restricting uses and disclosures that occur pursuant to a good faith acquisition of personal information by an employee or agent
  • Develop notification procedures or review existing notification procedures and follow them when the law’s notice requirement is triggered
  • Train workforce members on these policies and procedures
• Address notification provisions and allocate risk appropriately in contracts with service providers who maintain databases that may contain personal information