Kentucky Data Breach Notification

Kentucky HB 232, signed into law in 2014, requires any person or business entity that conducts business in Kentucky to provide notification in case of an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information (PII) maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident. Upon notification or discovery of a breach of the security of the system, an information holder must notify any resident of Kentucky whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person. It is applicable to any person that conducts business in the state and owns or licenses computerized data or maintains such data. The policy detects combinations of PII like social security, credit card, and driver’s license numbers. The rules for this policy are:

• Kentucky Data Breach Notification: Account and Password
• Kentucky Data Breach Notification: Name and CCN
• Kentucky Data Breach Notification: Name and Password (Wide)
• Kentucky Data Breach Notification: Name and Password (Default)
• Kentucky Data Breach Notification: Name and Password (Narrow)
• Kentucky Data Breach Notification: Name and SSN
• Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
• Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
• Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)