Kentucky is the 47th state, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, to enact a data breach notification law requiring business entities to notify individuals of security breaches involving personally identifiable information. Kentucky’s law also aims to protect student data by imposing new limits on cloud service providers.

House Bill 232, signed into law by Governor Steve Beshear earlier this month, requires any entity transacting business in Kentucky that reasonably believes a data breach has caused or will cause identity theft or fraud to notify all affected Kentucky residents whose personally identifiable information is or may be compromised. The Kentucky law defines personally identifiable information as “an individual’s first name or first initial and last name” in combination with one of the following three elements: (1) Social Security number; (2) driver’s license number; (3) account number, credit or debit number, in combination with any required security code, access code, or password permit access to an individual’s financial account.