The quartet of states without data breach notification statutes was reduced to a trio last month when Kentucky became the 47th state to enact a notification requirement.  Alabama, New Mexico, and South Dakota now stand as the only states without data breach notification statutes – although New Mexico appears poised to be the next state to fall in line, with the New Mexico House of Representatives having unanimously passed a data breach notification bill on February 17, 2014.

The new Kentucky law, H.B. 232, goes into effect on July 14, 2014, and generally mirrors the data breach notification provisions of the 46 states that preceded it. But the key provisions are as follows:

  • The law appears to apply only to computerized data, not paper records.
  • The law focuses on “acquisition of,” rather than access to, personally identifiable information.
  • Notifications are triggered on a “risk of harm” basis, when the information holder believes the breach has caused or will cause identity theft or fraud.
  • The notification must occur “in the most expedient time possible and without unreasonable delay,” but there is no express timeframe within which notice must be provided.

The most unique provision of the bill provides special protections for student data stored in cloud computing services.  The law prohibits cloud computing service providers from processing student data “for any purpose other than providing, improving, or maintaining the integrity of its cloud computing services” without express parental permission, although it does allow for limited disclosures to the educational institutions for research, as allowed by FERPA.  It also prohibits the use of student data in advertising and the sale of student data.