On April 10, 2014, Kentucky became the 47th state to enact data breach notification laws. The new Kentucky law applies to “Information Holder[s],” defined as a persons or business entities that conduct business in Kentucky, including both those that own the personal information they maintain and those that maintain personal information for third parties.
The new law requires notification of the affected class of a data beach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement”. While the new law does not require notice to the Kentucky Attorney General or other any other state regulator, it does require notification to the consumer reporting agencies, again, “without unreasonable delay” if more than 1,000 Kentucky residents are impacted.
Now that Kentucky has joined the rest of the Union, can New Mexico, South Dakota and Alabama be far behind?