Commonwealth of Kentucky enacts data breach notification law

The new law serves as a reminder for entities conducting business in Kentucky to manage the risk of breach

On the heels of the widely publicized Target breach, states continue to enact legislation designed to provide notice to their citizens when a security breach involving personal data occurs. Kentucky is the latest state to join the ranks of the other 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands that have security breach notification laws, leaving Alabama, New Mexico and South Dakota as the few jurisdictions without such protections in place.

On April 10, Governor Beshear signed into law H.B. 232, designed to address the compromise of personally identifiable information of residents of the Bluegrass State. The law also requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.

Contributing Author

author image

Amy S. Leopard

Amy S. Leopard is a partner in the Health Care Practice Group at Bradley Arant Boult Cummings LLP (Nashville, Tenn.) where she co-chairs the...

Bio and more articles

Contributing Author

author image

Kevin Alonso

Kevin Alonso is an associate in the Health Care Practice Group at Bradley Arant Boult Cummings LLP (Nashville, Tenn.). He can be reached at

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.