The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Individuals, businesses, and governmental entities that maintain, own, or license personal information.
Consumer Notification: Notification must be provided to any Kentucky resident whose unredacted and unencrypted personal information was acquired on an unauthorized basis that compromises the “security, confidentiality, or integrity” of that personal information that actually causes, or is reasonably believed to have caused or will cause, harm.
Regulatory Notification: N/A
Notification Timeline: Notice must be made in the “most expedient time possible and without unreasonable delay”.
Data Format: Electronic.
Citations: Ky. Rev. Stat. § 365.732.
- Breach: Unauthorized acquisition that compromises the “security, confidentiality, or integrity” of personal information that actually causes, or is reasonably believed to have caused or will cause, harm.
- Personal Information (PI): An individual's first name or first initial and last name in combination of one of the following data elements:
- Social Security number;
- Driver's license number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: A “breach” does not occur if the personal information was encrypted or redacted.
- Good Faith: Good-faith acquisition of personal information is not a breach if not used or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if the entity reasonably believes the breach has not caused and will not cause identity theft or fraud against any resident.
- Law Enforcement Delay: Notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.
- Timing: Notice shall be made “most expedient time possible” and “without unreasonable delay”.
- Format: N/A
- Content: N/A
- Method: Written notice; or electronic notice, if the notice provided is “consistent with the provisions regarding electronic records and signatures” per E-SIGN.
If notice would exceed $250,000, or the affected class of consumers exceeds 500,000, or the information holder does not have sufficient contact information substitute notice can be given in the following manner: (1) e-mail notice if entity has e-mail addresses for the affected consumers; (2) conspicuous posting of the notice on the web page of the entity; and (3) notification to major statewide media.
Credit Reporting Agencies Notice:
If notification includes more than 1,000 consumers, the entity shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis.
An entity that maintains personal information that it does not own shall notify the owner or licensee of any breach as soon as reasonably practicable following discovery.
The provisions of this statute shall not apply to any entity who is subject to the provisions of HIPAA.
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Kentucky, not including a purchasing group or a risk retention group chartered and licensed in a state other than Kentucky or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. A licensee with fewer than (50) employees, including independent contractors, shall be exempt.
Consumer Notification: A licensee shall comply with the Kentucky Data Breach Statute enumerated in KRS 365.732.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information of 250 or more residents that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: KRS 304.3-750 to 304.3-768.
- Consumer: An individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of Kentucky and whose nonpublic information is in the possession, custody, or control of a licensee.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Kentucky, not including a purchasing group or a risk retention group chartered and licensed in a state other than Kentucky or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction. A licensee with fewer than fifty (50) employees, including independent contractors, shall be exempt from the requirements of KRS 304.3-750 to 304.3-768.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Business-related information of a licensee that if tampered with, or disclosed, accessed, or used without authorization, would cause a material adverse impact to the business, operations, or security of the licensee.
- Any confidential personal identifying information of a consumer, including:
- Social Security number;
- Operator’s license number or personal identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, when either of the following criteria has been met:
- Kentucky is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in KRS 304.9-020, and the cybersecurity event has a reasonable likelihood of materially harming any material part of licensee’s operations.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Kentucky and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Kentucky or a material part of licensee’s operations.
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- A copy of the notice sent to consumers under KRS 365.732, if applicable.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice. The licensee's deadlines shall begin on the earlier of the day after the third-party service provider notifies the licensee of the cybersecurity event; or the day the licensee otherwise has actual knowledge of the cybersecurity event, whichever is earlier.
An insurance producer violating this chapter may be penalized in accordance with KRS 304.99-020:
- For any violation of this code where the commissioner has the power to revoke or suspend a license or certificate of authority, the commissioner may in lieu thereof or in addition to such revocation or suspension impose a civil penalty against the violator in the case of an insurer, a fraternal benefit society, nonprofit hospital, medical-surgical, dental, and health service corporation, or health maintenance organization of not more than $10,000 per violation; in the case of an agent, surplus lines broker, rental vehicle agent or managing employee, specialty credit producer or managing employee, or reinsurance intermediary broker or manager of not more than $1,000 per violation; in the case of an adjuster, administrator, life settlement broker, life settlement provider, or consultant of not more than $2,000 per violation.
- Such civil penalty may be recovered in an action brought thereon in the name of the Commonwealth of Kentucky in any court of appropriate jurisdiction.
- In any court action with respect to a civil penalty, the court may review the penalty as to both liability and reasonableness of amount.
Information Security Standard
Covered Entities: An agency or non-affiliated third party that maintains or otherwise possesses personal information.
First Party Security Standard: An agency or non-affiliated third party that maintains or otherwise possesses personal information shall implement, maintain, and update security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches.
Third Party Security Standard: For agreements executed or amended on or after January 1, 2015, any agency that contracts with a non-affiliated third party and that discloses personal information to the non-affiliated third party shall require as part of that agreement that the non-affiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction. Non-affiliated third party that is provided access to personal information by an agency, or that collects and maintains personal information on behalf of an agency shall notify the agency in the most expedient time possible and without unreasonable delay but within 72 hours of determination of a security breach relating to the personal information in the possession of the non-affiliated third party. The notice to the agency shall include all information the non-affiliated third party has with regard to the security breach at the time of notification. Agreements referenced in paragraph (a) of this subsection shall specify how the cost of the notification and investigation requirements under KRS 61.933 are to be apportioned when a security breach is suffered by the agency or non-affiliated third party.
Disposal/Destruction Standard: N/A
Data Format: Electronic and Paper.
Citations: KRS § 61.932, Ky. Rev. Stat. § 365.732
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following unencrypted data elements:
- Social Security number;
- Driver’s license number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define what constitutes “reasonable security procedures and practices …”