Database Security Breach Notification Law FAQs

What is the Database Security Breach Notification Law?

The Personal Information Security and Breach Investigation Procedures and Practices Act, enacted in the 2014, Regular Session, also known as House Bill 5, or the “Cyber Security Bill,” requires state and local governments to implement policies and procedures to protect confidential, sensitive information and notify individuals if their information has been compromised. This legislation requires notification to any Kentucky resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach.  In addition, the notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs to law enforcement or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.

 

What is a security breach?

A security breach is a compromise of the security, confidentiality, or integrity of computerized data that results in, or there is reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to personal information. Good faith acquisition of personal information by an individual is not a breach of the security of the system, provided that the personal information is not used for, or subject to, unauthorized disclosure.

 

What is personal information?

"Personal information," means an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
(a)    An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
(b)    A Social Security number;
(c)    A taxpayer identification number that incorporates a Social Security number;
(d)    A driver's license number, state identification card number, or other individual identification number issued by any agency;
(e)    A passport number or other identification number issued by the United States government; or
(f)    Individually identifiable health information as defined in 45 C.F.R. sec. 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. sec. 1232g;
 

What are the requirements for disclosure upon breach in the security of personal information for individuals who conduct business in Kentucky or license/own such computerized data?

Following the discovery of a security breach of the system containing personal information, any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, notify any resident of the state whose personal information was, or is reasonably believed to have been acquired by an unauthorized person.

 

What are the requirements for disclosure upon breach in the security of personal information for individuals who maintain computerized data (but do not own) that includes such information?

Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach of the system containing such data, following discovery by the agency or person of a breach of security of the system.

 

How may notification be provided?

Notification may be provided by one of the following methods: 

 

  • Written notification
  • Electronic notification
  • Substitute notification if applicable (including email, posting of notification on the internet site of the agency or person, or notification to major statewide media)

 

What are the legal ramifications of the Database Security Breach Notification Law?

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information.

 

What is identity theft?

Identity theft occurs when someone obtains sensitive personal information such as a name, social security number (SSN), driver’s license number, credit card number, or other identifying information to take on that person’s identity in order to commit fraud or other crimes.

 

Is identity theft only a problem for people who submit information online?

No.  You can be a victim of identity theft even if you never use a computer.  People may be able to obtain personal information by stealing your wallet, overhearing a phone conversation, or picking up a receipt at a restaurant that has your account number on it.  In addition, the internet has made it easier for individuals to obtain personal and financial data.  Most companies and other institutions store information about individuals in databases; if one can access that database, he or she can obtain information about many people at once rather than focus on one person at a time.

 

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of identify theft.  However, there are ways to minimize risk:

 

  • Do business with reputable companies
  • Take advantage of security features (passwords and other security features add layers of protection if used appropriately)
  • Check privacy policies
  • Be careful what information you publicize
  • Use and maintain anti-virus software and a firewall
  • Be aware of your account activity

 

How do you know if your identity has been stolen?

Some changes that could indicate that someone has accessed your information include:

 

  • Unusual or unexplainable charges on bills
  • Phone calls or bills for accounts or services that one does not have
  • Failure to receive regular bills or mail
  • New, strange accounts appearing on your credit report
  • Unexpected denial of one’s credit card

 

What can you do if you think, or know, that your identity has been stolen?

To minimize the extent of the damage, take action as soon as possible:

 

  • Contact institutions, including banks, where you have accounts
  • Contact the main credit reporting companies (Equifax, Experian, TransUnion)
  • File a report
  • Consider other information that may be at risk and contract appropriate agencies (e.g., Social Security Administration, Department of Motor Vehicles)