The Kentucky General Assembly passed two new data breach laws in the recent legislative session.
Kentucky will become the 47th state to have a general data breach notification law (HB 232), which will become effective July 15, 2014. The general data breach notification requirements will apply to any person or business that conducts business in Kentucky, other than those covered by HIPAA or Gramm-Leach-Bliley or any agency of Kentucky state government. After Kentucky’s law becomes effective, Alabama, New Mexico and South Dakota will be the only states without a data breach notification law. HB 232 also imposes data usage restrictions for cloud computing service providers providing services to any public, private or school administrative unit serving students in grades K-12. Click here for further discussion of HB 232.
In addition, Kentucky will have a law (HB 5) imposing data security requirements, investigation requirements and breach notification requirements on governmental agencies and nonaffiliated third parties doing business with governmental agencies. Nonaffiliated third parties who are covered by HIPAA or Gramm-Leach-Bliley are not subject to HB 5. Governmental agencies include entities such as counties, cities, boards, commissions, public school districts and public institutions of postsecondary education including public universities. Click here for further discussion of HB 5.
The laws throughout the United States are not uniform. So if, for example, your entity has a data breach and the data involves personal information from residents of several states, the laws of each of those states will need to be analyzed to determine 1) whether the breach triggers a notice requirement in a particular state and 2) if so, the requirements of any notification.
There are several take away points from these new Kentucky laws:
- Security Policies and Procedures, including Breach Investigation and Response Procedures and Practices. Every business should have reasonable security policies and procedures, as well as breach investigation procedures and practices. Personnel should be trained on data security policies and procedures. If you meet the definition of a governmental agency or do business with a governmental agency under the definition of HB 5 you will be required to have reasonable security and breach investigation procedures and practices in place by January 1, 2015. Even if you don’t fall under HB 5, you will generally find more favorable cyber insurance rates and have a better result in litigation and any enforcement action if you have procedures and practices in place before any breach. You will be in compliance with the notification procedures required under HB 232 if you maintain your own notification procedures as part of an information security policy that is consistent with the law’s timing requirements. This same clause is found in the statutes of many other states and can be helpful if the data breach involves residents in several states.
- Encryption. Consider encrypting the data held by your company when it is both stored and transmitted. Encryption may bring the data outside of the definition of a breach, depending on the state involved, thus avoiding a notification requirement.
- Data Mapping. Know where your data is and who has access. Is it on laptops, cell phones, file cabinets, copy machines? Know the life cycle of your data. Do you have a document retention plan and is it followed?
- Assemble the Team. Assemble a team before a breach occurs. The investigation and notification process can happen very quickly and it can save time, money and headaches if the team is prepared beforehand.
- Insurance. Have you reviewed your insurance? Does it cover data breaches and other cyber incidents? Do you need to consider cyber insurance or re-evaluate any existing cyber insurance policy in light of the new laws and current events? HB 5 requires the written agreement between the agency and the nonaffiliated third party to specify the apportionment of the costs of any notices and investigation required. Each can be quite costly.