Kentucky became the 47th state to enact data breach notification legislation earlier this month after Gov. Steve Beshear signed a bill into law that would require firms to notify consumers in the event of a data breach.
Only three states—Alabama, New Mexico and South Dakota—do not have laws in place requiring companies to notify consumers about the unauthorized acquisition of unencrypted consumer data.
Under Kentucky’s new law, firms that conduct business in the state and store consumer information are required to disclose data breaches in the “most expedient time possible” and “without unreasonable delay.” Firms are also required to notify consumer reporting agencies and credit bureaus if the breach compromised the data of more than 1,000 people.
Kentucky joins Iowa, which also recently enacted data breach notification legislation. Iowa Gov. Terry Branstad signed a bill into law that requires written notice to the state attorney general’s office for data breaches that affect more than 500 consumers no later than five business days after the breach is discovered.
Twelve other states have legislation pending that would alter and build on existing state laws on security breaches, which have recently affected major retailers like Michaels and Target.