Kentucky Information Security Standards Summary

Back to Country Map

Data Breach Notification Statutes
Insurance Data Security Statutes
Information Security Standards
Additional State Data Privacy Laws (U.S.)

Ky. Rev. Stat. § 61.932

Subject Entities	Applies to state and local government and any of their agencies, including public school districts, colleges, and universities in the Commonwealth, as defined by the statute. Also applies to any person that receives personal information from a state or local government or agency as defined by the statute pursuant to a contract or agreement.
Security Standard	Must implement, maintain, and update reasonable security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches.
Type of Data Covered	Electronic and Physical.
Definitions	“Personal information” means an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements: Account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account; Social Security number; Taxpayer identification number that incorporates a Social Security number; Driver’s license number, state identification card number, or other individual identification number issued by any agency; Passport number or other identification number issued by the United States government; or Individually identifiable health information as defined in 45 C.F.R. sec. 160.103, except for education records covered by the Family Educational Rights and Privacy Act; “Reasonable security and breach investigation procedures and practices” means data security procedures and practices developed in good faith and set forth in a written security information policy.
Methods of Compliance	Must implement reasonable security and breach investigation procedures and practices that comply with relevant enterprise policies established by the Kentucky Office of Technology, as well as any additional requirement particular to that agency. Agencies that contract with outside parties must include in the contract a requirement that the outside party notify the agency of a breach within 72 hours.

Last updated: January 2024