Author: Wyatt

The Kentucky Consumer Data Protection Act Goes into Effect on January 1, 2026: Is Your Business Ready?

Wyatt Health Information Technology
by Margaret Young Levi

Kentucky’s new privacy law, the Kentucky Consumer Data Protection Act (KCDPA), will afford Kentucky consumers certain rights over their personal data. Importantly, the KCDPA imposes new requirements on certain businesses that either control or process personal data, called “controllers” and “processers.”  The KCDPA was signed into law on April 4, 2024, and goes into effect on January 1, 2026. It is codified at KRS 367.3611 to KRS 367.3629.  The KCDPA’s approximate 21-month lead time before its effective date allowed businesses who are “controllers” to bring consumer data collection and processing practices in line with the law’s requirements.  Businesses who have not yet reviewed the KCDPA should do so immediately to determine whether the law applies to them and, if so, what actions they need to take to comply.

PROTECTED PERSONAL DATA

The KCDPA creates protections for “personal data,” which means information that is linked, or reasonably could be linked, to an identified or identifiable natural person. It does not include de-identified data or information that is publicly available.

One useful exemption is data processed or maintained by a controller in their role as an employer. The KCDPA exempts data regarding job applicants, employees, agents, and independent contractors that is used for employment, relates to the administration of benefits, or is used for emergency contact purposes.

The KCDPA also exempts numerous other types of personal data, much of which is protected under other laws. For example, it exempts personal health information (PHI) protected under the Health Insurance Portability and Accountability Act (HIPAA) and human subjects research data protected by various laws. In addition, the KCPDA exempts from its application data regulated by the Health Care Quality Improvement Act of 1986, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act (FERPA), and the federal Farm Credit Act.

CONSUMER RIGHTS

The KCDPA grants consumers certain rights over their personal data. For purposes of the KCDPA, a “consumer” is a Kentucky resident, a natural person acting only in an individual context. A “consumer” does not include a person who is acting in a commercial or employment context.

The KCDPA grants consumers the following rights:

  1. To confirm whether a controller is processing the consumer’s personal data;
  2. To obtain access to the consumer’s personal data;
  3. To correct inaccuracies in the consumer’s personal data;
  4. To delete personal data provided by or obtained about the consumer;
  5. To obtain a copy of the consumer’s personal data in a portable and readily usable format; and
  6. To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

In order to exercise these rights, a consumer may submit a request to a controller, at any time, via the method specified in the controller’s privacy notice, which is discussed further below. A child’s parent or legal guardian may invoke such consumer rights on behalf of the child. Controllers must respond to consumer requests within 45 days.

BUSINESSES THAT ARE SUBJECT TO THE KCDPA

The KCDPA applies to certain businesses located in Kentucky or targeting Kentucky residents. In particular, it applies to natural persons or legal entities that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that, during a calendar year, “control” or “process” personal data of at least: (a) 100,000 consumers, or (b) 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

There are a handful of business categories exempt from the KCDPA. Specifically, the KCDPA does not apply to any:

  1. City, state agency, or any political subdivision of the state;
  2. Financial institution, its affiliates, or data subject to the Gramm-Leach-Bliley Act;
  3. HIPAA covered entity or a business associate of such covered entity;
  4. Nonprofit organization;
  5. Institution of higher education;
  6. Small telephone utility, a Tier III CMRS provider, or a municipally owned utility that does not sell or share personal data with any third-party processor; or
  7. Organization that:
    i) Does not provide net earnings to, or operate in any manner that inures to the benefit of any officer, employee, or shareholder of the entity; and
    ii) collects, processes, uses, or shares data solely in relation to identifying, investigating, or assisting either (a) law enforcement agencies suspected of insurance-related crimes or fraud, or (b) first responders in connection with catstrophic events.

Many of these exempted entities are already subject to other state or federal data protection laws.

CONTROLLER RESPONSIBILITIES AND OBLIGATIONS

The KCDPA imposes various responsibilities and obligations upon controllers, which include, but are not limited to, the following:

  1. Limit Collection and Use of Personal Data. Controllers must limit the collection of personal data to what is “reasonably necessary.” If the controller desires to process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes, then they must obtain the consumer’s consent.
  2. Implement Reasonable Security Practices. Controllers are required to protect the personal data entrusted to them. They must ensure that they have in place “reasonable administrative, technical, and physical data security practices” to protect the “confidentiality, integrity, and accessibility” of personal data. The KCDPA declines to specify exactly what these data security practices entail but allows flexibility and scalability based on the volume and nature of the personal data involved. More personal data and more sensitive data would, of course, demand tighter security measures.
  3. Consumer Rights. Controllers will need to timely comply with an authenticated request from a consumer to exercise a consumer right. In addition, they will need to establish; and follow; a process for a consumer to appeal the controller’s refusal to act on a request.
  4. Nondiscrimination. A controller must comply with state and federal laws that prohibit unlawful discrimination against consumers.
  5. Obtain Consent for Use of Sensitive Data. Sensitive data requires special handling procedures. “Sensitive data” is personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data that can identify a specific natural person, personal data collected from a known child, or precise geolocation data. Controllers must first obtain the consumer’s consent before processing any sensitive data. Controllers must comply with the federal Children’s Online Privacy Protection Act (COPPA) when processing sensitive data from a known child.
  6. Contracts with Processors. Controllers must enter into binding contracts with processors that perform operations on personal data on behalf of a controller, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. This contract shall include:

    a. Clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties;
    b. A requirement that the processor ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
    c. A provision regarding the deletion or return of all personal data to the controller upon termination of the contract;
    d. A requirement for the processor to make available to the controller all information in the processor’s possession in order to demonstrate the processor’s compliance with the KCDPA;
    e. A requirement for the processor to cooperate with the controller’s assessments of the processor’s policies and technical and organizational measures designed to comply with the KCDPA; and
    f. A requirement to enter into a written contract with any subcontractor that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Controller versus Processor. Whether your business is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on upon the context in which personal data is to be processed.  Nevertheless, a processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. (KRS 367.3619(4).) The KCDPA provides, however, that nothing in the law’s section on obligations of a processor (in KRS 367.3619) is to be construed as relieving a controller or processor from the liability imposed on it by virtue of its role in a processing relationship as defined by the KCDPA. KRS 367.3619(3).

7. Privacy Notices. Like HIPAA and other privacy laws, the KCDPA requires controllers to provide consumers with a privacy notice that informs them about how the controller uses and discloses their personal data and how consumers can exercise their rights. The privacy notice must be “reasonably accessible, clear, and meaningful” and include:
a. The categories of personal data processed by the controller;
b. The purpose for processing personal data;
c. How consumers may exercise their consumer rights, including how a consumer may submit a request to exercise their consumer rights as well as how to appeal a controller’s decision to such a request;
d. The categories of personal data that the controller shares with third parties, if any, and the categories of third parties, if any, with whom the controller shares personal data; and
e. Whether a controller sells personal data or uses the personal data for targeted advertising, and how a consumer may exercise the right to opt out of processing.

This KCDPA does not specify how the privacy notice should be communicated to consumers, merely that it should be “conspicuously available.”

8. Data Protection Impact Assessment. Controllers must perform, and document, a data protection impact assessment identifying the benefits from certain processing of personal data (such as sensitive data, targeted advertising, profiling, and the sale of personal data). These identified benefits should be weighed against the potential risks to the consumer’s rights associated with such processing. The controller should also consider whether employing safeguards could mitigate those risks. The data protection impact assessment should be performed on processing activities generated on or after June 1, 2026. The Kentucky Attorney General may demand a copy of this assessment as part of an investigation.

ENFORCEMENT

The Kentucky Attorney General has exclusive authority to enforce violations of the KCDPA. Before it can seek damages for alleged violations, the KCDPA requires the Kentucky Attorney General to first provide a controller or processor with written notice identifying alleged violations and allow the controller or processor an opportunity to cure the violation(s). If cured, then no further enforcement action is taken. If not cured, then the Kentucky Attorney General may bring an action seeking damages of up to $7,500 for each violation. There is no private right of action for violations of the KCDPA.

Looking for assistance in navigating compliance with the KCDPA?  We work with our clients regarding their policies and procedures related to compliance with the KCDPA, HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Young Levi at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Deadline Approaching to Revise HIPAA Policies

Wyatt Data Privacy & Security, HIPAA , , , , , , , , , , ,

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic. 

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations.  If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Iranian Threat Actors Use Password Spraying And MFA Push-Bombing To Hack Organizations In Critical Sectors

Wyatt Cyber Security and Cyber Crime, Data Privacy & Security , , , , , , , , ,

Written by: Kathie McDonald-McClure

On October 16, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the National Security Agency (“NSA”) issued a Joint Cybersecurity Advisory warning that threat actors from Iran are using “password spraying” and Multi-Factor Authentication (MFA) “push-bombing” (also called “MFA fatigue”) to gain access to organization networks and web-based applications in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.  

With password spraying, the threat actor creates a list of usernames and then tries to login to each account with a single commonly used password. If the attempt fails, the attacker moves on to a different common password and tries again until they get a hit.  Even with MFA, using a strong password in the first instance can impede a threat actor’s further attempts to gain access via MFA push-bombing.

With MFA push-bombing, the threat actor sends a legitimate user’s smartphone a large number of MFA push-notifications, hoping that the user will click on one to stop the barrage.  Once the threat actor gains access to an account, they frequently register their devices with MFA to enable persistent access to the environment via a valid account.

The use of MFA push-notifications to a smartphone in the absence of a second form of authentication (e.g., entering a code in an Authenticator app) is particularly vulnerable to the use of brute force and credential access.  Does your network or any of your web-based applications rely solely on a push notification to gain access?  Specifically, if access to your network or a web-based application can be gained by a mere click on a link in a SMS or email message, or by answering a call to a mobile device and there is no second method of authentication before permitting access, talk to your IT team or the vendor of the web-based application about strengthening the authentication method. 

Regularly review your password policy to ensure it is up-to-date with best practices. Ensure users in your organization are educated on the password policy.  Also, educate permitted users on the network and web-based applications on the techniques used by threat actors to gain access via weak and reused passwords. Ensure users understand the criticality of denying MFA push-notification requests that they did not generate. 

Talk to your IT team today regarding the Joint Cybersecurity Advisory on the threats to weak passwords and MFA methods. As recommended in the Advisory, implement exercises, tests and validate your organization’s security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Advisory (e.g., Modify Authentication Process: MFA and MFA Request Generation).

We regularly work with clients to assist in preparing or updating applicable IT information security policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA , , , , , , , , , , ,

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading

Kentucky Enacts New Consumer Data Privacy Act

Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws , , , , , , , ,

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

Continue reading