Kentucky’s New Breach Notification Legislation

Chris Nolan

Chris Nolan

Trigg Mitchell

Trigg Mitchell

By Chris Nolan and Trigg Mitchell

Data breaches, whether big or small, can leave customers exposed to fraudulent activity. You may recall that in January 2014, Target reported that an estimated 70 to 110 million of its customers had personal information (namely, credit and debit card numbers) stolen in a widespread data breach during the holiday season. While the size of your business may be nowhere near the size of Target’s, you undoubtedly face the same kind of security threats. Unfortunately, with smaller businesses, the impact of a breach can be devastating…quickly morphing into an economic and reputational crisis – leaving customers questioning not only security systems, but the business itself.

No business’s security system is safe from hackers. What we can learn from Target and other big-name businesses (i.e., Snapchat, Michaels, Neiman Marcus) involved in security snafus is that it is not always the breach, but often the responsiveness and reaction from the company that determines the success of its recovery. Thanks to new legislation, businesses in Kentucky now have a set methodology for reaching out to customers when things go awry. Almost all other states (Kentucky is the 47th) have enacted breach notification legislation, making it a legal obligation to inform customers when a data breach occurs that could leave them vulnerable to identify theft.

Pursuant to Kentucky’s House Bill 232’s provisions, a security breach is defined as “the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder [i.e., business] as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident.”

“Personally identifiable information” includes an individual’s first name or first initial and last name in combination with one or more of the following unredacted data elements: (1) Social Security number; (2) driver’s license number; or (3) account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Upon notice or discovery that a security breach has occurred, a business must inform Kentucky residents of the breach “in the most expedient time possible and without unreasonable delay,” consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Notification can be carried out in several ways:

(a) Written notice;

(b) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. sec. 7001; or

(c) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds five hundred thousand (500,000), or the information holder does not have sufficient contact information. Substitute notice shall consist of all of the following:

1. E-mail notice, when the information holder has an e-mail address for the subject persons;

2. Conspicuous posting of the notice on the information holder’s Internet Web site page, if the information holder maintains a Web site page; and

3. Notification to major statewide media.

In the event that a large-scale data breach occurs, requiring notification of more than 1,000 persons at one time, consumer reporting agencies must be notified without unreasonably delay.

Businesses not only need to be aware of House Bill 232, but also House Bill 5, which was also signed by the Governor after this year’s General Assembly. Kentucky’s public agencies, while not subject to House Bill 232, are subject to their own new set of data security requirements, in the form of House Bill 5. Pursuant to this law, public agencies and “nonaffiliated third parties” that do business with governmental agencies must implement, maintain, and update security procedures and practices to safeguard against security breaches. In other words, if a business contracts with the state the provisions of House Bill 5 may apply to them, in addition to the provisions of House Bill 232.

Information subject to House Bill 5 includes a wide variety of data (far extending beyond the typically contemplated credit card information) such as employee records, student information, business trade secrets or other proprietary information. There are some exemptions in both bills for persons or entities subject to Title V of the Gramm-Leach-Bliley Act and HIPAA, as these federal laws already include breach protocols.

Security breaches are not unique to businesses, but also happen at the agency level and can have an equally harmful effect. In 2012, Kentucky’s Finance and Administration Cabinet accidentally posted the names, Social Security numbers, birth dates, home telephone numbers, and other personal information of more than 100 current and former state employees on its publicly accessible website. Prior to House Bill 5’s enactment, a state agency or a third party working with a state agency that inadvertently released confidential information about Kentucky citizens or businesses was under no obligation to inform citizens or businesses of the breach. Now, nonaffiliated third parties and agencies have 72 hours to report a security breach notification to impacted persons, law enforcement and relevant officials. Kentucky consumers and citizens should rest a little easier knowing that their information will be better protected in the future.

The procedures specified in House Bill 232 and House Bill 5 go a long way in creating uniformity and consistency, but it is up to businesses to take immediate action in creating a breach response plan, as breaches are becoming a matter of when, not if. When confidential data is on the line, so is your reputation. Time is of the essence.

J. Chris Nolan is a veteran lobbyist and communication specialist who joined MML&K Government Solutions in 1999 as Assistant Director.  

H. Trigg Mitchell joined the corporate practice group of McBrayer, McGinnis, Leslie & Kirkland, PLLC as Senior Associate in May of 2012.