In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them. However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency. Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.
HB 5 applies to governmental agencies of the Commonwealth of Kentucky, including local governments and subdivisions, such as counties, cities, state universities, local school boards and others. It also applies to individuals and business who do business with those governmental agencies, called “nonaffiliated third parties”. If these entities maintain or possess personal information, regardless of the form in which the personal information is maintained, whether electronic or paper, then they must implement security procedures and practices set by the Commonwealth Office of Technology or Department for Local Government to protect and safeguard against security breaches. They are also required to take appropriate corrective action in the event of security breaches. Contracts with governmental agencies signed or amended on or after January 1, 2015 should contain provisions requiring nonaffiliated third parties to maintain security and breach investigation procedures that are appropriate to the nature of the information disclosed. To read a more detailed overview of HB 5, click here. Read a few interesting FAQs about HB 5 here.
HB 232 enacts general data breach notification requirements for any person or business that conducts business in Kentucky, called “information holders.” HB 232 applies more broadly than HB 5 and is not limited to only those who contract with governmental agencies. Further, HB 232 does not apply to any agency of Kentucky government, local government or subdivision. HB 232 does not specify how an entity must safeguard personal information but simply states that any information holder must provide notification if there has been a breach of unencrypted, electronically-stored personally identifiable information which could likely result in fraud or identity theft. The quick takeaway here is that if you possess personal information (such as names and social security numbers or account numbers), then you should encrypt that information. To read a more detailed overview of HB 232, click here.
With the enactment of these new data breach laws in Kentucky, now almost every state has a data breach law—and if you have seen one state data breach law then you have seen one state data breach law. Every state law is different, especially in the timing of notification in the event of a breach. In addition, many state data breach laws define personally identifiable information in a way that is not aligned with the definition of “individually identifiable health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It also is important to note that the Kentucky data breach law sets forth a standard for “encryption” while other state data breach laws do not specify an encryption standard and some laws do not address encryption at all. If you do business in a variety of states, then you should be familiar with these different state laws and their varying requirements. The varying definitions and requirements could also impact an entity’s cyber liability insurance policy coverage.