KENTUCKY PRIVACY LAWS

Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $2,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach notification without delay must be given to any resident of Kentucky affected by a breach that includes personal information.
  • If notification is required for more than 1,000 consumers, the breached Organization must also notify all consumer reporting agencies and credit bureaus.
  • Vendors must notify Organizations as soon as possible after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • Organizations and Vendors in the business of destroying records must have measures in place for the secure destruction of records containing personal information so the records are unreadable or indecipherable.
  • Organizations may be fined or penalized for Vendor violations.
  • Consumers may bring an action to recover damages for violations of the data destruction requirements.
  • Additional requirements may apply to student data and cloud computing service providers.
Statutes and Laws
  • KY REV STAT § 365.720 Definitions
  • KY REV STAT § 365.725 Destruction of Customer’s Records Containing Personally Identifiable Information
  • KY REV STAT § 365.730 Civil Action For Damages or Injunction For Violation of KRS 365.725
  • KY REV STAT § 365.732 Notification to Affected Persons of Computer Security Breach Involving Their Unencrypted Personally Identifiable Information
  • KY REV STAT § 365.734 Student Data and Cloud Computing Service Providers
BAck to map