On April 10, 2014, Kentucky Governor Steve Beshear signed into law a data breach notification statute requiring persons and entities conducting business in Kentucky to notify individuals whose personally identifiable information was compromised in certain circumstances. The law will take effect on July 14, 2014.

Kentucky’s data breach notification law covers “personally identifiable information,” which is defined as an individual’s first name or first initial and last name in combination with any of the following:

  • Social Security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

The breach notification law contains a harm threshold: entities are not required to notify affected Kentucky residents unless the breach “actually causes, or leads the [entity] to reasonably believe has caused or will cause identity theft or fraud.”

The law does not require entities to notify the state Attorney General or any other government agencies, but it does require notice to all consumer reporting agencies and credit bureaus if more than 1,000 residents are to be notified at one time.

Alabama, New Mexico and South Dakota are now the only U.S. states that have not yet enacted a data breach notification law.

View an unofficial copy of the statute.