Kentucky | Data Breach Law

January 3, 2018

Kentucky | Data Breach Law

You are here:
< Back

How to Comply

In Kentucky, businesses that suffer a harmful data breach must notify affected Kentucky residents as soon as possible through mail or electronic means. When the cost of notification exceeds $250,000, or more than 500,000 people are affected, businesses can use public service announcements to fulfill their notification requirements. When 1,000 or more people are affected, all consumer-reporting agencies must be notified. To learn more about KY’s data breach laws, keep reading.

Name of Law / Statute N/A
Definition of Protected Information Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.
Who Is Subject to Law? Any person conducting business in the state
Notification of Consumers? Yes, but only if actual or reasonable chance of fraud or identity theft
By what means? Written or electronic; if >1000 residents, must notify consumer reporting agencies
Substitute Notice Threshold? If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required? No
By what means? N/A
Regulatory Fines N/A
Credit monitoring requirement? No
Private lawsuits allowed? No
Private damages cap? N/A
Regulatory actions allowed? N/A
HIPAA Compliance exemption? Yes
Other  (e.g., timeframe) Law does not apply if PI was encrypted or redacted
Link to complete law

Learn more about Kentucky’s data breach law.