Kentucky becomes 47th state with data breach notification law

Alabama, New Mexico and South Dakota are now the only states without data breach notification laws.

On April 10 Kentucky Gov. Beshear signed HB232, which requires holders of personally identifiable information (PII) to disclose data breaches to residents of Kentucky whose information was “reasonably believed” to have been stolen.

Notice can be given via written or electronic notice–or email, website posting and major statewide media if a company will face more than $250,000 in notice costs or if the more than 500,000 individuals are affected by the breach.

The bill was sponsored by Rep. Steve Riggs, D-Louisville, an independent commercial lines insurance broker with Nelson Insurance Agency in Louisville.

Kentucky’s data breach notification bill follows data breach notification laws in other states.

New Mexico could be the next state to pass a data breach notification law. A bill being mulled there would require individuals affected by a breach to be notified by organizations within 10 days of discovering a data breach. The measure also contains provisions instructing businesses to get rid of PII when it is no longer needed, and businesses entering an agreement with a third-party must require, by contract, that the third-party vendor “implement and maintain reasonable security procedures and practices.”

In addition to the data breach notification requirements, Kentucky’s new law also prohibits cloud-computing providers from possessing student data “for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services” unless the student’s parents give permission.