Breach Law: Kentucky the 47th State?Legislature to Consider Breach Notification Bill
As the elected auditor of public accounts in Kentucky, Adam Edelen is on a campaign of sorts, to get the Bluegrass State to become the 47th state to enact a data breach notification law.
Edelen last month issued a 37-page audit of state government information security - Cybersecurity: Pay Now or Pay More Later - in which the public auditor argues in favor of breach notification requirements: "If it's good enough for 46 other states, then it's good enough for us."
Government has the opportunity to demonstrate that [data breach notification] works, it's not onerous and could serve as a model of behavior for businesses.
In a conversation I had the other day with Edelen, he said that bipartisan legislation will be introduced perhaps within a week. If enacted, it would give Kentuckians rights to be notified of data breaches that are similar those in most other states.
But the prospective legislation would only cover breaches of government computers and not businesses and not-for-profit organizations. Legislative support for a more comprehensive data breach notification law to include business doesn't yet exist among a majority of Kentucky lawmakers, Edelen says.
"There ought to be a requirement for business, but not at this stage," he says. "It's very important that the public sector model the behavior. I have a natural reluctance to force a new set of requirements on the non-profit and for-profit [organizations] that we haven't put on government. I think government has the opportunity to demonstrate that [data breach notification] works, it's not onerous and could serve as a model of behavior for businesses."
The legislation would include most public institutions, including municipal and county governments, public schools and state-supported colleges and universities. Edelen says details of the legislation are being worked out.
Bipartisan Support Doesn't Assure Passage
Edelen is a Democrat, as are Gov. Steve Beshear and the majority of the House of Representatives. The Senate is controlled by Republicans. The auditor identifies the sponsors of the data breach notification bill as Democrat Denny Butler of Louisville and Republican Sal Santoro of Florence. Despite bipartisan support, there's no assurance that the bill will be enacted, although Edelen characterizes the concept of breach notification as a "no brainer."
"This is such a common sense bill [that] those opposed to it are going to find that we built a broad consensus committed to doing the right thing," he says.
Bipartisanship doesn't always result in legislative action. Just look at Congress. Democrats and Republicans on Capitol Hill agree on most cybersecurity matters, but Congress has been unable to enact significant cybersecurity reform - including a national data breach notification law - in more than a half decade (see Cybersecurity Legislation: What's Next?). Reaching a compromise on the few areas of disagreement on matters of IT security and privacy has alluded Congress, and that also seems to be the case in the four states - Alabama, New Mexico and South Carolina being the others - that have yet to enact data breach notification laws.
Edelen remains hopeful 2014 will be the year that a limited data breach notification bill becomes law in Kentucky. "It's an important opportunity for us in Kentucky to catch up with the rest of the country in terms that Kentuckians have the same information security infrastructure supporting them that folks in Maryland, New York or California have," he says. "This is an opportunity to bring increased focus on what is an incredibly important policy area, and that's the issue of privacy, by making sure that the people who support our government are protected. I think it's a critical component of good government."
But good government, to the dismay of the citizenry, is rarely easily achieved.