The number of US states that haven’t signed a data protection law has dropped to three. According to pogowasright.org, the state of Kentucky is the latest state to sign a bill that is aimed at protecting personal data of Kentuckians. Like many similar state laws, the use of data encryption provides safe harbor from reporting data breaches to consumers.
Safe Harbor, Personal Information Defined
Like many state laws concerning data security and data privacy, the law makes exceptions for information protected with encryption software. First, a “breach of the security system” is defined as:
unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky
The one twist I can immediately make out is that the law requires the breach to be directly linked to ID theft or lead the “information holder to reasonably believe” it will happen. I can understand the need to put limits – after all, most data breaches fizz out with nothing happening – but the latter requirement literally puts the fox in charge of the hen house. Wouldn’t it be in most information holders’ interest to believe that ID theft will is not in the cards when data is lost or stolen?
Second, the law clearly states that the breach of unencrypted data will be followed with a notification “in the most expedient time possible and without unreasonable delay.” The logical conclusion is that information that is encrypted does not require a data breach notification (which is only natural, seeing how the breach of a security system has been defined).
Student Data Also Protected
Being at the tail-end of the breach legislation game has its own rewards. The Kentucky legislature has made it a point to ensure that student data is protected. Among other things, it is now illegal to “process student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing service.”
This is no doubt directed to certain services that acknowledge data-mining student information for profit, financial or otherwise.
No Breach Law, More Expensive Insurance Policies
An interesting factoid that I learned while reading of Kentucky’s data breach law, courtesy of whas11.com:
insurance companies were charging Kentuckians more for cyber-security policies in the absence of any state laws requiring such notification after incidents such as the Target and Neiman Marcus data breaches.
I cannot even begin to fathom why this would be so, but apparently it’s a thing. Assuming this has a causal link with legislation, I guess this is another reason why the US should have a federal data breach law.
Related Articles and Sites: