| Ky. Rev. Stat. § 365.732 |
|---|
| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic. |
Most expedient time possible without unreasonable delay. |
No. |
|
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Applicable exemptions are set forth below. |
|
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following unencrypted and unredacted data elements:
|
|
Definition of Breach |
Unauthorized acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personally identifiable information maintained as part of a database regarding multiple individuals, excluding certain good faith acquisitions. |
|
Type of Data Covered |
Electronic. |
|
Encryption Safe Harbor |
Statute does not apply to encrypted or redacted personal information. |
|
Risk of Harm Analysis |
Notification is not required if the entity reasonably believes the breach has not caused and will not cause identity theft or fraud against any resident. |
|
Consumer Notice Requirements |
Timing: Must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is available under certain circumstances. |
|
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $250,000, or that the affected class to be notified exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice must include:
|
|
Third Party Notice Requirements |
If the entity maintains personal information that it does not own, it must notify the owner or licensee of a breach as soon as reasonably practicable following discovery if the information was, or is reasonably believed to have been, acquired by an unauthorized person. A nonaffiliated third party working on behalf of an agency shall notify the agency of a security breach in the most expedient time possible and without unreasonable delay, but no later than 72 hours after discovery of the incident. |
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. |
|
Consumer Reporting Agency Obligations |
If notification is required to more than 1,000 residents, the entity must notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the consumer notice. |
|
Potential Penalties |
Violations may result in civil penalties and other remedies. |
|
Notification Requirements for Government Agencies |
Please see Kentucky Rev. Stat. §61.932 and § 61.933 for specific requirements and/or penalties for applicable government agencies. |
|
Additional Provisions Exemptions |
Statute does not apply to entities subject to HIPAA or GLBA. Does not apply to state agencies, local governments, or political subdivisions. |
Last updated: January 2024
