Heads up: Argus Cybersecurity and Support is not a law firm, and nothing in this article is legal advice. We're IT and cybersecurity professionals sharing information about laws that directly affect how businesses handle data. For advice specific to your situation, please consult a licensed Kentucky attorney.
Two Laws, One Goal: Keep You Out of Trouble
Here's the situation: Kentucky businesses are now operating under two separate but related data privacy laws, and most owners don't fully understand either of them.
The first, KRS 365.732, has been around since 2014. It answers one question: what do you have to do after a data breach? The second, the brand new Kentucky Consumer Data Protection Act (KCDPA), which took effect January 1, 2026, answers a different question: what standards do you have to meet before anything goes wrong? Together, they create a compliance framework that every Kentucky business needs to understand, because they work differently, apply to different situations, and carry very different consequences.
KRS 365.732: What Happens After a Breach
First, Let's Be Precise About What a "Breach" Actually Is
This is where a lot of businesses get themselves in trouble. Not every security incident is a legally reportable breach under KRS 365.732. The law defines a breach as unauthorized acquisition of unencrypted, unredacted computerized data, but only if that incident actually causes, or leads you to reasonably believe it will cause, identity theft or fraud against a Kentucky resident.
That second part, the "harm threshold", matters. If someone got into your system but there's genuinely no risk of identity theft, notification may not technically be required. That said, this judgment call should never be made without a lawyer in the room. Regulators tend to scrutinize harm-threshold decisions closely, and the default posture should always be: when in doubt, notify.
What Data Is Actually Covered, And What Isn't
Here's a gotcha that surprises a lot of business owners. Kentucky's definition of "Personal Information" (PI, not PII) under KRS 365.732 is narrower than you'd expect:
A person's first name or initial plus last name, combined with any one of:
Social Security number
Driver's license number
Account number or credit/debit card number with its required security code or access code
That's it. What's not on that list? Email address and password combinations. Medical records. Biometric data. Geolocation. Unlike states such as California or Illinois, Kentucky hasn't expanded the definition of PI to cover those categories yet.
Why does this matter for you? Because if your breach only exposes email logins or health-adjacent information, KRS 365.732 may not require notification. But, that doesn't mean you're in the clear. The newer KCDPA defines data far more broadly, and you could still face exposure under common-law negligence theories.
Who Gets a Pass
If your business is covered by HIPAA or the Gramm-Leach-Bliley Act, meaning you're a hospital, medical practice, insurance company, bank, or credit union, KRS 365.732 doesn't apply to you. Those industries have their own federal breach frameworks. That said, HIPAA's breach rule is actually stricter in many ways, so being exempt from the state statute doesn't mean you have less work to do.
The Notification Clock: "Expedient" Is Not Well-Defined
Here's something the statute won't tell you: there's no "you have 72 hours" or "you have 30 days" rule under KRS 365.732. The standard is "the most expedient time possible and without unreasonable delay".
The only two valid reasons to delay are:
A law enforcement agency asks you to hold off while they investigate
You need time to determine the scope of the breach and restore system integrity
That's it. Document every hour of your response timeline. From when you discovered the incident, to when you made the decision to notify, to when notices actually went out. Regulators and plaintiffs' attorneys will reconstruct this chronology in detail if it ever gets to litigation.
How You Can Notify
You have three options:
Written notice: physical mail to affected individuals
Electronic notice: email, if you have addresses and it's consistent with federal e-sign rules
Substitute notice: the nuclear option
Substitute notice is only allowed when the cost of direct notification would exceed $250,000, your affected class exceeds 500,000 people, or you simply don't have contact information for everyone. It requires you to do all three of the following simultaneously: email everyone you can reach, post a conspicuous notice on your website, and contact major statewide media. It's not a choice between those options. It's all three at once.
The Rule Most Businesses Completely Miss: Notify the Credit Bureaus
If your breach requires notifying more than 1,000 Kentucky residents at the same time, you also have to notify all nationwide consumer reporting agencies, the credit bureaus, of the timing, distribution, and content of the notices you sent.
Most businesses don't know this exists. Build it into your incident response plan now, not during the chaos of an active breach.
Vendor Breaches: Their Problem Becomes Your Problem
If you're a managed service provider, a SaaS vendor, or any kind of technology service, and you suffer a breach involving data you hold on behalf of a client, your obligation is to notify that client "as soon as reasonably practicable". The client then handles consumer notification. Make sure your contracts address this explicitly, including who's responsible for costs, timelines, and indemnification.
Can You Be Sued?
KRS 365.732 doesn't include a private right of action, meaning individuals can't directly sue under the statute itself. But don't take too much comfort in that. KRS 446.070, Kentucky's general negligence-per-se statute, allows any person injured by a violation of any Kentucky statute to recover civil damages. Courts have applied conditions: the plaintiff has to belong to the class the statute was meant to protect, and the violation has to have caused their harm. But if both are true, a failure to comply with breach notification requirements can absolutely form the basis of a civil lawsuit, and with enough affected individuals, that means class-action exposure.
The KCDPA: Kentucky's New Privacy Law
This Is a Big Deal
Effective January 1, 2026, Kentucky joined 20+ other states with a comprehensive consumer privacy statute. The KCDPA is modeled closely on Virginia's Consumer Data Protection Act and gives Kentucky consumers the right to know what data you have on them, correct it, delete it, and opt out of it being sold or used for targeted advertising.
But here's the first question you need to ask: does it even apply to you?
Who Has to Comply
The KCDPA applies if your business conducts business in Kentucky or targets Kentucky residents, AND:
You control or process data on at least 100,000 Kentucky consumers per year, OR
You process data on at least 25,000 Kentucky consumers AND more than 50% of your gross revenue comes from selling that data
If you don't hit those numbers today, the law technically doesn't apply to you yet. But here's the honest advice: treat the KCDPA as a best-practice roadmap regardless. Kentucky is clearly signaling where it wants to go, and the compliance costs are far lower when you build good habits proactively than when you scramble to retrofit them under pressure.
Who is exempt? Nonprofits, government agencies, colleges and universities, HIPAA-covered entities, and businesses regulated under GLBA.
What the KCDPA Calls "Personal Data" Is Much Broader
This is where the KCDPA is completely different from KRS 365.732. "Personal data" under the KCDPA means any information linked or reasonably linkable to an identifiable person. A definition broad enough to cover a lot of data that people don't think twice about collecting.
The law goes further with a separate category called sensitive data, which requires opt-in consent before you process it at all:
Race or ethnicity
Religious beliefs
Mental or physical health diagnoses
Sexual orientation
Citizenship or immigration status
Genetic or biometric data
Precise geolocation data
Data collected from children under 13
If any of that appears in your systems, you need affirmative, unambiguous consent before processing, not just a buried privacy policy disclosure.
What You Have to Do
If the KCDPA applies to your business, here's what it requires:
- Be transparent. Your privacy notice needs to clearly disclose: what categories of data you collect, why you collect it, who you share it with, and how consumers can exercise their rights. Including how to appeal if you deny their request.
- Only take what you need. Data minimization isn't just a principle, it's a legal obligation. You can only collect and use data that's reasonably necessary for your disclosed purpose.
- Respond to consumer requests within 45 days. Consumers can ask to see their data, correct it, delete it, or opt out of it being sold or used for ads. You have 45 days to respond. You can extend by 45 more days with notice, but you can't just ignore requests. Build a process for this before you need it.
- Have written contracts with every vendor who touches your data. Your cloud host, your payroll processor, your IT MSP. If they handle personal data on your behalf, you need binding written contracts that specify what data they can use, for what purposes, and how they'll handle a breach.
A Deadline You Can't Afford to Miss: DPIAs
If your business conducts high-risk processing activities, think targeted advertising, profiling, the sale of personal data, or processing sensitive data, you are required to conduct and document Data Protection Impact Assessments (DPIAs).
Here's an important timing note: per 2025 amendments to the KCDPA, DPIA requirements apply only to processing activities created or initiated on or after June 1, 2026. So if a high-risk process was already running before that date, there's technically a window. But consider this: if the AG ever opens an investigation, they can request disclosure of any DPIA you've conducted. Starting assessments proactively now, even for pre-June 2026 activities, creates a documented record of good faith that matters in enforcement.
Enforcement: The AG Isn't Waiting
The KCDPA is enforced exclusively by the Kentucky Attorney General through the Office of Data Privacy, which opened in 2026. Consumers cannot sue you directly under the KCDPA, but the AG very much can.
Before filing suit, the AG must give you a 30-day notice and cure period. If you fix the issue within 30 days, enforcement stops. This cure period is permanent under Kentucky's law, it doesn't expire, making the KCDPA somewhat more forgiving than California's or Colorado's regimes.
If you don't cure within 30 days, the AG can seek:
Civil penalties up to $7,500 per violation
Injunctive relief
Recovery of investigative costs and attorneys' fees
To put that in context: at $7,500 per consumer, a violation affecting 10,000 people represents $75 million in potential exposure. Though, in practice, enforcement actions settle below ceiling levels.
Most importantly: enforcement started almost immediately. On January 8, 2026, just eight days after the law took effect, AG Russell Coleman filed suit against Character Technologies (Character.AI) for allegedly targeting children and failing to implement adequate protections for minors. Kentucky is not taking a soft launch approach to this law.
The Real Business Cost: Beyond the Legal Bills
Let's step outside the statute for a moment and talk about what this actually means for a Kentucky business.
Legal exposure runs in multiple directions at once. A single breach can simultaneously trigger KRS 365.732 notification obligations, KCDPA enforcement, and KRS 446.070 civil claims, especially if your response is slow or incomplete.
The financial hit is real. Verizon's 2024 Data Breach Investigations Report found small business breach costs ranging from $120,000 to $1.24 million depending on severity. IBM's 2025 report pegs the global average at $4.44 million across all organization sizes.
A note on the "60% of small businesses close" statistic: you'll see this figure cited frequently in cybersecurity content, including in some of our older materials. In the spirit of accuracy: the National Cyber Security Alliance issued a statement recommending against using this statistic, because the original 2012 source study cannot be verified or reproduced. The actual business impact is still severe, the financial figures above are well-sourced, but we'd rather give you numbers you can rely on.
Your Compliance Checklist
Don't wait for an alert to fire before taking these steps.
Under KRS 365.732 (Breach Notification)
Encrypt all PI at rest and in transit. An encrypted data set is not a "breach" under the statute. This is your legal safe harbor.
Audit where PI lives across your organization. Servers, file shares, email archives, cloud storage. You cannot protect what you haven't found.
Build a documented harm-threshold protocol. Define in advance how you'll evaluate whether an incident clears the harm threshold, and default toward notifying when it's borderline.
Create a written Incident Response Plan that specifies who contacts legal, who engages IT, who handles the AG's office, and who evaluates a law enforcement delay request.
Draft notification templates now. Have legally reviewed drafts ready for individual written notice, electronic notice, and all three substitute notice components before you ever need them.
Add the credit bureau notification step to your IRP. Breaches affecting more than 1,000 residents require notifying all nationwide consumer reporting agencies.
Review every vendor contract. If a third-party vendor holds your clients' data and suffers a breach, your clients will look to you. Contracts should address breach response, timelines, and costs explicitly.
Under the KCDPA (Privacy Compliance)
Confirm whether you meet the thresholds. 100,000 consumers, or 25,000 if you sell data.
Draft or update your privacy notice to include all required disclosures: data categories, purposes, third parties, consumer rights, and appeal instructions.
Build a consumer rights response workflow with intake, identity verification, and a 45-day response clock.
Establish opt-in consent mechanisms for sensitive data before processing geolocation, biometrics, health data, or children's data.
Update processor agreements with all vendors handling data on your behalf.
Schedule DPIAs for new high-risk processing activities initiated on or after June 1, 2026, and start assessing existing ones proactively.
Create an appeal workflow for denied consumer rights requests, including a final escalation path to the Office of Data Privacy.
Why Encryption Is Still the Most Powerful Tool in Your Toolbox
Both statutes reward strong encryption posture, but in different ways.
Under KRS 365.732, encryption is a complete statutory defense; a breach of encrypted data simply isn't a "breach" under the law. Under the KCDPA, strong technical safeguards are a compliance obligation and a strong signal of good faith during any enforcement inquiry. In both cases, encryption is the single most legally impactful technical control you can implement today.
How Argus Fits In
At Argus Cybersecurity and Support, we don't just fix computers. We act as your vCIO, building a technology roadmap that aligns with where Kentucky law is heading. That means 24/7 threat detection, proactive Cyber Scans that surface hidden PI before attackers do, and security architecture designed so that even when an incident occurs, your data is secured well enough that the law never considers it a breach in the first place.
If you're in manufacturing, real estate, legal services, or professional services, industries that handle dense concentrations of sensitive client data, your exposure under both statutes is higher than average, and proactive compliance planning pays for itself many times over.
The bottom line is simple: in Kentucky data law, encryption isn't a nice-to-have. It's your primary statutory defense. Build it in now.