Last week, Kentucky enacted a data breach notification law, becoming the 47th state to require notice to consumers in the event of a breach of unencrypted personally identifiable information. The law’s author, Representative Steve Riggs (D-Louisville), stated that he drafted the bill in response to learning that his state was one of only four (including Alabama, New Mexico, and South Dakota) that did not have a data breach notification law on the books. The new law will become effective in July.
The law sets forth a high standard on whether a breach has occurred. Specifically, it requires a company to notify Kentucky residents any time that it reasonably believes there is an unauthorized acquisition of unencrypted personally identifiable information that actually causes, or leads the company to reasonably believe has caused or will cause, identity theft or fraud. The statute defines personally identifiable information as an individual’s first name or first initial and last name, in combination with their Social Security number, driver’s license number, or financial account information and the required access code/password. Regulator notice is not required, but credit reporting agency notice is required in the event the breach affects more than 1,000 Kentucky residents.
While there have been many calls for a federal data breach notification law, particularly in the wake of the recent high-profile retailer breaches, for the time being, companies will have to consider the various state laws (as well as those of D.C., Guam, Puerto Rico, and the Virgin Islands) in the event of a data breach.