Kentucky Data Privacy Laws

Data breach notification requirements applicable to any “Information Holder” (as defined by Kentucky law):

  • KRS 365.732 Notification to affected persons of computer security breach involving their unencrypted personally identifiable information, click here.

Data breach notification requirements applicable to “public agencies” (including public schools and universities) and “non-affiliated third parties” (as defined by Kentucky law):

  • KRS 61.931 Definitions, click here.
  • KRS 61.932 Personal information security and breach investigation procedures and practices for certain public agencies and nonaffiliated third parties, click here.
  • KRS 61.933 Notification of personal information security breach – Investigation – Notice to affected individuals of result of investigation – Personal information not subject to requirements – Injunctive relief by Attorney General, click here.
  • KRS 61.934 Personal information security and breach investigation procedures and practices for legislative and judicial branches — Personal information disposal or destruction procedures, click here.
  • Commonwealth of Kentucky, Protection of Personal Information, Security and Incident Investigation Procedures and Practices for Local Governmental Units, Policy Number DLG-PPI 100, click here.
  • Commonwealth of Kentucky Memo on Personal Security Information, January 9, 2015, click here.
  • KRS 171.450 Department procedures and regulations (including disposal and destruction of public records), click here.

Kentucky Commonwealth Office of Technology to report on security breaches of “public agencies” and “non-affiliated third parties” under KRS 61.931 et seq. (above):

  • KRS 42.722 Definitions for KRS 42.720 to 42.742, click here.
  • KRS 42.724 Commonwealth Office of Technology, click here.
  • KRS 42.726 Roles, duties, and permissible activities for Commonwealth Office of Technology — Duties of Archives and Records Commission and Department for Libraries and Archives not affected — Annual report concerning security breaches, click here.
  • KRS 42.732 Kentucky Information Technology Advisory Council — Purposes – Members, click here.

Restrictions on the use of student information maintained by “cloud-computing service providers” on behalf of “educational institutions”:

  • KRS 365.734 Prohibited uses of personally identifiable student information by cloud computing service provider, click here.  This law allows the Kentucky Board of Education (KBE) to promulgate regulations.  (As of 12/15/15, the KBE had not issued any regulations.)