Ky. Lawmakers Unveil Breach Notification Bill

Kentucky One of Four States Without Breach Notice Law
Ky. Lawmakers Unveil Breach Notification Bill
Kentucky Public Auditor Adam Edelen

Kentucky lawmakers have introduced legislation that, if enacted, would make the Bluegrass State the 47th state to have a data breach notification law on its books.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

The legislation, House Bill 5, would only apply to breaches targeting state and local government computers as well as IT systems of other state-supported entities, such as public schools. It would not apply to businesses.

Adam Edelen, the elected state auditor of public accounts, says in an interview with Information Security Media Group that legislative support for a data breach notification law to include business doesn't exist among most Kentucky lawmakers (see Breach Law: Kentucky the 47th State?).

But Edelen suggests enacting a notification law for public agencies to report data breaches could spur lawmakers eventually to enact a broader bill to cover businesses. "It's very important that the public sector model the behavior," he said. " ... Government has the opportunity to demonstrate that [data breach notification] works, it's not onerous and could serve as a model of behavior for businesses."

Bill's Provisions

The bill would require affected agencies to notify the state police, public auditor and attorney general within 24 hours of discovery of a security breach. It also would require affected agencies to conduct a reasonable and prompt investigation after a breach is discovered.

The legislation would oblige targeted agencies to notify appropriate government authorities if personally identifiable information was misused within 48 hours and individuals whose personal data were exposed within 35 days of the completion of the investigation into a breach.

In addition, the bill would require the state to report to national consumer reporting agencies a breach in which the PII of 1,000 or ore individuals was exposed.

House Bill 5 has 60 House sponsors from both political parties.

"This is an opportunity to bring increased focus on what is an incredibly important policy area, and that's the issue of privacy, by making sure that the people who support our government are protected," says Edelen, the bill's chief advocate. "I think it's a critical component of good government."

The three other states without a data breach notification law are Alabama, New Mexico and South Carolina.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.