How Can We Help?
Kentucky | Data Breach Law
How to Comply
In Kentucky, businesses that suffer a harmful data breach must notify affected Kentucky residents as soon as possible through mail or electronic means. When the cost of notification exceeds $250,000, or more than 500,000 people are affected, businesses can use public service announcements to fulfill their notification requirements. When 1,000 or more people are affected, all consumer-reporting agencies must be notified. To learn more about KY’s data breach laws, keep reading.
| Name of Law / Statute | N/A |
| Definition of Protected Information | Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes. |
| Who Is Subject to Law? | Any person conducting business in the state |
| Notification of Consumers? | Yes, but only if actual or reasonable chance of fraud or identity theft |
| By what means? | Written or electronic; if >1000 residents, must notify consumer reporting agencies |
| Substitute Notice Threshold? | If cost of notice >$250,000 or involves >500k residents |
| Notification of authorities / regulators required? | No |
| By what means? | N/A |
| Regulatory Fines | N/A |
| Credit monitoring requirement? | No |
| Private lawsuits allowed? | No |
| Private damages cap? | N/A |
| Regulatory actions allowed? | N/A |
| HIPAA Compliance exemption? | Yes |
| Other (e.g., timeframe) | Law does not apply if PI was encrypted or redacted |
| Link to complete law | http://www.lrc.ky.gov/statutes/statute.aspx?id=43326 |
Learn more about Kentucky’s data breach law.