HB 5 is the Kentucky data privacy bill that imposes data security requirements, investigation requirements and breach notification requirements on governmental agencies and “nonaffiliated third parties” (NTPs) doing business with governmental agencies, with a few exceptions. 

QUESTION:  My entity is not an “agency,”  so does HB 5 apply to me?

ANSWER: It depends.  If you have a contract with an “agency” in which you maintain or possess personal information, in any form, HB 5 applies.  For simplicity, personal information means a person’s name and at least one item on a list set out in HB 5, such as social security number, driver’s license number, credit card number or account number (for example, utility account or retirement account) along with a code to allow access to the credit card or account number.  For the complete definition of personal information click here, click on "SCS" and go to section 1(6). 

We have been advised by a spokesperson from the State Auditor’s office that HB 5 will not apply to entities subject to the provisions of Title V of Gramm-Leach-Bliley (GLB) or HIPAA.  Currently, the GLB and HIPAA exemptions to HB 5 and HB 232 appear in a provision of HB 232, a data breach notification bill applicable to any information holder conducting business in Kentucky.

HB 5 is a broad reaching bill. 

We recently sent one question to State Rep. Steve Riggs who accessed qualified legal staff at the Auditor of Public Accounts involved in codifying HB 5.  We asked whether HB 5 would apply to certain entities and the answer we received provides an excellent example of how one might analyze a situation.

Here is a summary of the question and answer:

QUESTION: Would either a private high school or a private college participating in the KEES Program (the Kentucky Education Excellence Scholarship) be required to comply with HB 5?

ANSWER: It depends. 

The KEES Program is administered through the Kentucky Higher Education Assistance Authority (KHEAA).  The KHEAA is an “agency” as defined in HB 5, Section 1(1).  

A NTP is defined as any person that (a) has a contract or agreement with an agency, and (b) receives personal information from the agency pursuant to the contract or agreement. 

Thus, a private high school or private college that has a contract or agreement with KHEAA and sends personal information to KHEAA but does not receive personal information from KHEAA, would not be a NTP.

A private high school or private college, however, that has a contract or agreement with KHEAA and receives personal information from KHEAA would be a NTP.

QUESTION:  What governmental entities are subject to the new law?  How broad is it?

ANSWER: It is very broadly written, as can be seen from the example above.  The definition of “agency” includes but is not limited to the executive branch of state government, every county, city, municipal corporation, urban county government, or a department, ad hoc committee, public agency, special purpose governmental entity, instrumentality of the executive branch or a county, city or municipal corporation or urban county government.  The definition of agency also includes public school district and public institution of postsecondary education, including every public university in the Commonwealth of Kentucky and Kentucky Community and Technical College System (KCTCS).   

You will need to parse through the definition carefully to determine whether the definition of agency is met.  For example, airport boards meet the definition.  Special purpose governmental entities meet the definition.  For the complete definition of “agency” click here, click on "SCS" and go to section 1(1). 

QUESTION:  So, if HB 5 applies, what does that mean?

ANSWER: If HB 5 applies - whether you meet the definition of agency or an NTP having a contract with an agency in which you maintain or possess personal information - you must implement, maintain and update security procedures and practices, including taking any appropriate corrective action to protect and safeguard against security breaches.  Security procedures and practices must be in place by January 1, 2015. 

In addition, other HB 5 requirements such as data breach notification requirements apply.