Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $2,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Kentucky has additional laws regarding personal data protection and data disposal to prevent a breach.
  • If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
  • Additional requirements may apply to student data and cloud computing service providers.
  • Any business that handles personal information on behalf of a public agency, must notify the public agency within 72 hours of discovering a breach.
Statutes and Laws
  • KY Rev Stat § 365.732 Notification to affected persons of computer security breach involving their unencrypted personally identifiable information (2014)
  • KY Rev Stat § 61.932 Personal Information Security and Breach investigation procedures and practices(2014)
  • KY Rev Stat § 365.734 Student Data and Cloud Computing Service Providers (2015)
  • KY Rev Stat § 365.725 Destruction of customer’s records (2015)
BAck to map