Ask Reggi Your Question Now
Can you summarize KYRS 365.732?
TRADE PRACTICES > Notification to affected persons of computer security breach involving their unencrypted personally identifiable information.
Short Summary
This legal document, part of the Kentucky Revised Statutes under the section of Commerce and Trade, Trade Practices, governs the notification to affected persons of a computer security breach involving their unencrypted personally identifiable information. It defines the breach of the security of the system as the unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information. The information holder, which refers to any person or business entity conducting business in Kentucky, is required to disclose any breach of the security of the system to affected residents of Kentucky in the most expedient time possible and without unreasonable delay. The document also outlines the notification requirements for information holders who maintain computerized data that includes personally identifiable information owned by another entity. It allows for a delay in notification if a law enforcement agency determines that it will impede a criminal investigation. The document specifies various methods of providing notice, including written notice, electronic notice, and substitute notice. It also mentions that an information holder with its own notification procedures consistent with the timing requirements of the document is deemed to be in compliance. Additionally, if the notification affects more than one thousand persons, the person responsible for the notification must also notify consumer reporting agencies and credit bureaus. The document provides exemptions for entities subject to specific federal acts or agencies of the Commonwealth of Kentucky or its local governments or political subdivisions.
Whom does it apply to?
Any person or business entity that conducts business in the state of Kentucky
What does it govern?
Notification to affected persons of computer security breach involving their unencrypted personally identifiable information
What are exemptions?
The provisions of this section and the requirements for nonaffiliated third parties in KRS Chapter 61 shall not apply to any person who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended, or the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, as amended, or any agency of the Commonwealth of Kentucky or any of its local governments or political subdivisions.
What are the Penalties?
Not specified.
Jurisdiction
Kentucky