Ky. Lawmakers Unveil Breach Notification BillKentucky One of Four States Without Breach Notice Law
The legislation, House Bill 5, would only apply to breaches targeting state and local government computers as well as IT systems of other state-supported entities, such as public schools. It would not apply to businesses.
Adam Edelen, the elected state auditor of public accounts, says in an interview with Information Security Media Group that legislative support for a data breach notification law to include business doesn't exist among most Kentucky lawmakers (see Breach Law: Kentucky the 47th State?).
But Edelen suggests enacting a notification law for public agencies to report data breaches could spur lawmakers eventually to enact a broader bill to cover businesses. "It's very important that the public sector model the behavior," he said. " ... Government has the opportunity to demonstrate that [data breach notification] works, it's not onerous and could serve as a model of behavior for businesses."
The bill would require affected agencies to notify the state police, public auditor and attorney general within 24 hours of discovery of a security breach. It also would require affected agencies to conduct a reasonable and prompt investigation after a breach is discovered.
The legislation would oblige targeted agencies to notify appropriate government authorities if personally identifiable information was misused within 48 hours and individuals whose personal data were exposed within 35 days of the completion of the investigation into a breach.
In addition, the bill would require the state to report to national consumer reporting agencies a breach in which the PII of 1,000 or ore individuals was exposed.
House Bill 5 has 60 House sponsors from both political parties.
"This is an opportunity to bring increased focus on what is an incredibly important policy area, and that's the issue of privacy, by making sure that the people who support our government are protected," says Edelen, the bill's chief advocate. "I think it's a critical component of good government."
The three other states without a data breach notification law are Alabama, New Mexico and South Carolina.