Since 2010 the number of states with data breach notification statutes was stalled at 46. No longer. Kentucky is now the 47th state to enact a data breach notification statute, effective July 14, 2014.
Kentucky’s new data breach notification statute, appearing in Ken. Rev. Stat. Chapter 365 (as amended by H.B. 232 on April 10, 2014), requires persons and entities conducting business in Kentucky to notify Kentucky residents in the event of compromises of their “personally identifiable information” (PII) – defined by the new KY law, in keeping with many other states’ definitions of PII, as an individual’s first name or first initial and last name in combination with any one of the following:
- Social Security number;
- Driver’s license number; or
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
Unlike recent trends, however, for example as in HIPAA’s modified rules that since last year now presume a breach as a starting point in determining whether notification is required, Kentucky’s new law includes a harm threshold before notification is mandated. Per the statute Kentucky residents affected need not be notified unless the breach “actually causes, or leads the information holder to reasonably believe has caused or will cause identity theft or fraud” involving a Kentucky resident.
In addition, the new law does not require notification to the Kentucky Attorney General or other governmental agencies, but does specify that if more than 1,000 residents need to be notified then all consumer reporting agencies and credit bureaus “that compile and maintain files on consumers on a nationwide basis” must be notified without unreasonable delay.
Kentucky’s new data breach law strikes us as a catch-up measure rather than a leapfrog bit of legislation that takes into account the changing breach landscape since 2010. That said, however, those who may maintain PII of Kentucky residents will now need to add a separate harm analysis to any breach involving customers residing in Kentucky and then provide said residents with notice “in the most expedient time possible and without unreasonable delay” – a common time standard in breach statutes.
While every breach is unique in many ways, it rarely pays to be “too quick” to pull the notification trigger until the facts, scope and circumstances (including any applicable harm threshold determinations) are well in hand and understood. All too often companies in the heat of the moment rush to the microphone, only to be forced to come back to effectively say “that breach we told you about last week… well it’s actually twice as large as we told you it was.”
In responding to a data incident time is not your friend, but neither is panic or a rush to conclusions. Take all the time reasonably necessary (within any notification deadlines such as HIPAA’s 60 days) to conduct as thorough and comprehensive an analysis as possible before acting. The result of doing so will be a better PR image in the end and lower breach costs per record effected, as Ponemon’s annual data breach reports continues to highlight.
With Kentucky’s new law only New Mexico, South Dakota and Alabama continue to buck the tide.