M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

How to Comply with Kentucky Data Breach Laws

In Kentucky, businesses that suffer a harmful data breach must notify affected Kentucky residents as soon as possible through mail or electronic means. When the cost of notification exceeds $250,000, or more than 500,000 people are affected, businesses can use public service announcements to fulfill their notification requirements. When 1,000 or more people are affected, all consumer-reporting agencies must be notified. To learn more about KY’s data breach laws, keep reading.

Name of Law / Statute


Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.

Who Is Subject to Law?

Any person conducting business in the state

Notification of Consumers?

Yes, but only if actual or reasonable chance of fraud or identity theft

By what means?

Written or electronic; if >1000 residents, must notify consumer reporting agencies

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?


By what means?


Regulatory Fines


Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?


Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted or redacted

Link to complete law


Learn more about Kentucky’s data breach law.

70% of businesses raise prices or cut hiring when sued