On the heels of the widely publicized Target breach, states continue to enact legislation designed to provide notice to their citizens when a security breach involving personal data occurs. Kentucky is the latest state to join the ranks of the other 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands that have security breach notification laws, leaving Alabama, New Mexico and South Dakota as the few jurisdictions without such protections in place.
On April 10, Governor Beshear signed into law H.B. 232, designed to address the compromise of personally identifiable information of residents of the Bluegrass State. The law also requires cloud service providers that contract with educational institutions (K-12) to maintain the security of student data (name, address, email address, emails, and any documents, photos or unique identifiers relating to the student) and prohibits the sale or disclosure, or processing of student data for commercial purposes.