The Target data breach in 2013 spurred Kentucky lawmakers to put notification policies in place so that citizens receive timely notice when credit card and other sensitive data is stolen.
Data breaches in Kentucky are now governed by two laws that outline how affected parties will be notified if their information has been compromised.
House Bill 5 and House Bill 232 were signed by Kentucky Gov. Steve Beshear in a ceremony last month, strengthening data breach reporting requirements for the public and private sectors, respectively. The measures were officially state law since April 10.
In an interview with Government Technology in late June, Rep. Denver “Denny” Butler, D-Louisville, the sponsor of HB 5, admitted he didn’t know why the state didn’t already have legislative policy in place to address notification standards for data breaches. But he’s pleased his measure established guidelines for agencies to use in the event a compromise occurs.
“Unfortunately, we live in a time in which cyber criminals continually bombard companies and public entities in hopes of gaining access to personal information on thousands of people,” Beshear said in a statement. “That’s why it is important for government and private businesses to … let people know when their personal data may have been fraudulently obtained. We all must be vigilant in protecting sensitive information.”
HB 5 and HB 232 require agencies that have experienced a data breach to alert the Kentucky State Police, auditor of public accounts, attorney general, Kentucky Department of Education or the Council on Postsecondary Education, depending on the public entity involved. A time period to alert those individuals impacted by the breach isn’t mandated by the bills, however.
The open-endedness was by design, so that an investigation wouldn’t be compromised, according to Butler. He explained that if an agency got hacked and credit card numbers were stolen, there would be a difference between when individuals would be notified based on law enforcement trying to nail one person using one number, or if the incident is a part of a larger credit card fraudulence ring, where police may have the ability to shut it all down.
“What we didn’t want to do is say we’re going to give up this information as soon as we find out about the compromise and notify the public within 12 hours,” Butler said. “Because if you’re onto a ring, and it may take two days … it would be worth that wait to nail those people.”
Butler added that the spirit of the legislation is if investigators have no idea who conducted the breach, they’re going to notify citizens. But if they have a good lead, they wanted some legislative leeway to give law enforcement the time they need to bring a hacker to justice.
Government Technology reached out to Rep. Steve Riggs, D-Louisville, HB 232’s sponsor for comment on his measure, but a message wasn’t returned by press time.
Both HB 232 and HB 5 proceeded fairly quickly through the Kentucky Legislature, with the latter having more than 80 co-sponsors, according to Butler. He felt the Target data breach last year drove the immense participation and interest the bills generated.
The only significant amendment to HB 5 was to remove language that would have impeded those agencies already saddled with security and reporting requirements of the Health Insurance Portability and Accountability Act (HIPAA). Representatives of hospitals and health associations were concerned that they might be double-regulated and worked with Butler and other legislators to adjust the measures.
“When we looked at it, we had enough language to cover everything and we were able to take out almost a full page of duplicate regulation on those interest groups,” Butler said.