Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

KENTUCKY DATA PRIVACY REGULATIONS

Did You Know?

 
  • Limited methods of notification delivery;
  • Data owners are responsible for reporting and notifications; 
  • Reporting to Consumer Reporting Agencies may be required with specific information;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?

 

Breach and notification laws may apply if you are:

  • An information holder:  any person or business entity that conducts business in Kentucky;
  • An information holder that maintains computerized data that includes PII that they do not own. 

There are exemptions.  

What is PII?

 

PII relevant to a breach include an individual’s name with one or more of the following:

  • Social security number;
  • Driver’s license;
  • Account, credit or debit card number, in combination with, and linked to, any required security code etc. permitting access to the individual's account.

LAWS

APPLICABLE LAW

A few applicable statutes include, but are not limited to:

Title XXIX – Commerce and Trade

     Chapter 365 –Trade Practices

          Records Containing Personally Identifiable

          Information 365.720 and 365.732

RELATED LAWS

A few related statutes include, but are not limited to:

Title XXIX – Commerce and Trade

     Chapter 365 –Trade Practices

          Records Containing Personally Identifiable Information 365.720, 365.725, 365.730, 365.734

PENALTIES

COMPLIANCE PENALTIES

Penalties for violation related to failure of following “365.725 - Destruction of customer's records” allow for customer’s right to pursue civil action, enjoinment of the business through civil action, and other remedies available by law.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • Whether any kind of key or password might have been obtained;
  • If the data was encrypted or redacted.

TIME LIMITS

Notification may be delayed if law enforcement advises the person it will impede an investigation, otherwise, the notification must be made in the most expedient time possible and without unreasonable delay. If notification is required to more than 1,000 persons, all consumer reporting agencies must be notified with specific information without unreasonable delay.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000, or persons notified exceed 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR