Kentucky Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal data belonging to Kentucky residents, you need to understand the state's data breach notification rules. A single breach affecting thousands of people can trigger notification obligations that carry legal consequences for businesses that fail to act promptly.

Kentucky's breach notification framework operates through two separate statutes: one for private-sector entities and one for government agencies. Both require notification without unreasonable delay, but the government rules impose stricter requirements, including mandatory reporting to multiple state agencies.

For an overview of Kentucky's broader privacy framework, see the parent guide to [Kentucky Data Privacy Laws](/us-laws/data-privacy-laws/kentucky-data-privacy-laws).

Who Must Comply With KRS 365.732

Kentucky's primary data breach notification law, KRS 365.732, applies to any person or business entity that conducts business in Kentucky and owns or licenses computerized data that includes personal information.

The statute covers a broad range of entities. If you maintain computerized records containing personal information about Kentucky residents, regardless of where your business is physically located, KRS 365.732 applies to you.

There are two key exemptions. Entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) are exempt, as are financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). These entities follow their own federal breach notification frameworks instead.

State agencies and local governments are also excluded from KRS 365.732 because they are covered under the separate government breach notification statutes at KRS 61.931 through 61.934.

What Qualifies as Personal Information

Under KRS 365.732, personal information means an individual's first name or first initial and last name in combination with one or more of these data elements:

• Social Security number
• Driver's license number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the account

The data must be in computerized (electronic) form. Paper records are not covered by this statute.

Publicly available information lawfully made available to the general public from government records does not count as personal information under this law.

What Triggers a Notification Obligation

A breach occurs when there is an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personal information.

Kentucky adds an important qualifier. Notification is required only when the breach actually causes, or the entity reasonably believes it has caused or will cause, identity theft or fraud against the affected residents. If the entity determines through its investigation that no harm is reasonably likely, notification is not required.

This risk-of-harm threshold gives businesses some discretion. However, that discretion comes with responsibility. If a business incorrectly assesses the risk and does not notify, it could face legal exposure.

Good faith exception. The law provides that acquisition of personal information by an employee or agent of the entity does not constitute a breach, as long as the information is not actually misused or further disclosed without authorization.

Encryption Safe Harbor

Kentucky's statute does not apply to information that is encrypted or redacted. This is a straightforward safe harbor: if you encrypt personal information and a breach occurs, you are not required to send notifications under KRS 365.732.

This incentivizes businesses to adopt encryption as a standard data protection practice. If your organization stores personal information electronically, encryption removes one of the most significant legal risks associated with a breach.

Notification Timing and Method

When notification is required, businesses must act in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Kentucky does not set a specific deadline in days. The "without unreasonable delay" standard gives businesses time to investigate, but it also means that unnecessary foot-dragging could be considered a violation.

Law enforcement delay. If a law enforcement agency determines that notification would impede a criminal investigation, the business may delay notification until law enforcement authorizes it.

Methods of Notice

Businesses may provide notice through:

• Written notice sent to the affected individual's last known address
• Electronic notice consistent with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)

Substitute Notice

If direct notification would cost more than $250,000, affect more than 500,000 people, or the entity lacks sufficient contact information, substitute notice is available. Substitute notice requires all three of the following:

• Email notification to all affected individuals for whom the entity has an email address
• Conspicuous posting on the entity's website
• Notification to major statewide media outlets

Credit Reporting Agency Notification

When a breach affects more than 1,000 Kentucky residents, the entity must also notify all nationwide consumer reporting agencies and credit bureaus without unreasonable delay. This notification must describe the timing, distribution, and content of the notices sent to affected individuals.

Third-Party Data Holders

If an entity maintains personal information on behalf of another business (the data owner or licensee), the maintaining entity must notify the data owner or licensee of the breach as soon as reasonably practicable after discovering it. The data owner or licensee then becomes responsible for notifying affected individuals.

Government Entity Requirements (KRS 61.931 Through 61.934)

Kentucky holds government agencies to a different and more detailed standard through KRS 61.931 through 61.934, effective January 1, 2015.

Broader Definition of Personal Information

The government statutes define personal information more broadly than the private-sector law. Under KRS 61.931, personal information includes an individual's first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with:

• Social Security number
• Taxpayer identification number that incorporates a Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number with required security codes or passwords
• Other individual identification number

This definition is broader than KRS 365.732 in two ways: it includes biometric and genetic identifiers as qualifying name elements, and it adds taxpayer identification numbers as a covered data element.

Mandatory Multi-Agency Notification

When a government agency experiences a breach, it must notify multiple state entities:

• The Attorney General
• The Auditor of Public Accounts
• The Finance and Administration Cabinet
• The Kentucky State Police
• The Kentucky Department of Library and Archives
• The Commonwealth Office of Technology

This multi-agency notification requirement reflects the heightened accountability expected of government entities handling citizen data.

Third-Party Contractor Obligations

Private companies that contract with Kentucky state agencies and handle personal information face specific obligations under KRS 61.932.

For contracts executed or amended on or after January 1, 2015, contractors must implement security and breach investigation procedures at least as stringent as those required of the government agency itself.

When a contractor discovers a breach, it must notify the contracting agency in the most expedient time possible and without unreasonable delay, but no later than 72 hours after determining the breach occurred. The contracting agency then takes responsibility for notifying affected individuals and the Attorney General.

AG-Approved Delays

If a government agency determines that measures necessary to restore the integrity of its data system cannot be implemented within the required notification timeframe, the agency may request a delay. That delay must be approved in writing by the Office of the Attorney General.

Injunctive Relief

Under KRS 61.933, the Attorney General may seek injunctive relief against entities that fail to comply with government breach notification requirements.

Enforcement and Penalties

Private Sector (KRS 365.732)

KRS 365.732 does not contain specified penalties or a dedicated enforcement mechanism. The statute also does not create an explicit private right of action.

However, injured parties may have recourse through KRS 446.070, Kentucky's general remedy statute. KRS 446.070 provides that a person injured by the violation of any statute may recover damages from the offender through a civil action. This creates a potential, though untested in many data breach contexts, pathway for affected individuals to seek damages.

The Attorney General may also pursue enforcement through Kentucky's general consumer protection statutes.

Government Entities (KRS 61.931 Through 61.934)

The Attorney General has explicit authority to seek injunctive relief against government entities and their contractors that violate the breach notification requirements. This gives the AG power to compel compliance through court orders.

The KCDPA's Impact on Data Breach Response

The Kentucky Consumer Data Protection Act (KCDPA), which took effect on January 1, 2026, does not replace the existing breach notification statutes. However, it adds a new layer of data protection obligations that affect how businesses handle personal information before, during, and after a breach.

Under the KCDPA, codified at KRS 367.3611 through 367.3629, businesses that meet the applicability thresholds must:

• Implement reasonable data security practices proportional to the volume and sensitivity of the data they process
• Classify biometric data, genetic data, precise geolocation data, and other sensitive categories as requiring opt-in consent
• Respond to consumer deletion and access requests within 45 days
• Conduct data protection assessments for high-risk processing activities

The KCDPA gives the Attorney General exclusive enforcement authority with penalties of up to $7,500 per violation after a 30-day cure period. While the KCDPA does not directly modify KRS 365.732, a data breach that results from inadequate security practices could trigger enforcement actions under both frameworks.

The Kentucky Attorney General's Office of Data Privacy, created to enforce the KCDPA, can be reached at (502) 892-8538.

Insurance Data Security Law

Kentucky also enacted an insurance-specific data security law at KRS 304.3-750 through 304.3-768. Licensed insurers, agents, and other insurance entities must notify the Commissioner of Insurance of cybersecurity events as promptly as possible, but no later than three business days after the event, when the breach affects 250 or more Kentucky residents or materially harms operations.

Penalties under the insurance data security law can reach $10,000 per violation for insurers and $1,000 to $2,000 for individual agents and adjusters.

Steps to Take After a Breach in Kentucky

If your business experiences a data breach involving Kentucky residents' personal information, consider these steps:

1. Contain the breach and secure your systems to prevent further unauthorized access
2. Investigate the scope to determine what data was compromised and how many individuals are affected
3. Assess the risk of harm to determine whether the breach is reasonably likely to cause identity theft or fraud
4. Notify affected individuals in the most expedient time possible if harm is likely
5. Notify credit reporting agencies if more than 1,000 Kentucky residents are affected
6. Document your response including the investigation findings and notification timeline
7. Contact law enforcement if the breach involves criminal activity

If you are a government contractor, remember the 72-hour notification window to the contracting agency.

More Kentucky Laws

• Kentucky Data Privacy Laws
• Kentucky Data Privacy Laws
• Kentucky Hit and Run Laws
• Kentucky Recording Laws
• Kentucky Child Support Laws
• Kentucky Lemon Laws

Sources and References

This article references Kentucky statutes and official state government publications. For the full text of the breach notification statutes, visit the Kentucky Legislature website. For consumer guidance on data breaches and identity theft, visit the Kentucky Attorney General website. For information about the KCDPA and the Office of Data Privacy, see the AG's KCDPA page.

This article provides general legal information about Kentucky data breach notification laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Kentucky government sources.