Kentucky Revised Statutes § 365.732
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of the system” means unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky. Good-faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system if the personally identifiable information is not used or subject to further unauthorized disclosure
When is notice required?
"Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (4) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
Law enforcement delay: "The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation."
Notice may be in written, electronic or given via "substitute notice" depending on the circumstances. If over 1,000 residents are affected then consumer reporting agencies must be notified as well. There are no provisions that detail the content of the notice.
What are the penalties for non-compliance?
While there are no specific damage or penalty provisions under § 365.732, Kentucky has a sister statute that provides standards of care for customer record retention and destruction that provides any customer with a right to a civil action to recover damages for violations under § 365.725. While there is certainly overlap between the two groups of people covered under these statutes, there are likely situations where a party may comply with the records retention law but still fail to disclose a breach in the proper time. In that scenario, it is unclear how the company would be held accountable.
"Way to go, Jerry. We're gonna get fried over this data breach."