by Andrew Dewson | Insider Louisville | April 16, 2014
Gov. Steve Beshear signed cyber security changes for Kentucky into law last week – but what does it really mean for Kentucky businesses?
Quite a lot, actually.
The true global cost of cyber fraud is probably impossible to measure – the cyber security and anti-virus expert Eugene Kasperkey told a conference in Dublin in October of last year that the cost was “many times more” than $100 billion. And that was long before Target, Nieman Marcus, Michael’s, Heartbleed…. the list of security breaches is already endless, and the e-commerce isn’t even old enough to have graduated from college yet.
Last week Kentucky became the 47th state to sign into law cyber security measures – a bit late, but par for the course as far as this state is concerned. Not much fanfare either – Gov. Beshear’s office didn’t even release the obligatory signing photograph, such was the understated welcome HB5 and HB232 received.
However, these two new statutes drastically change the way all Kentucky businesses need to look at the way they do electronic business and how they store pertinent client information, and it could have far-reaching consequences as far as cyber security is concerned. Any business that does electronic transactions – which pretty much means all businesses – needs to know about these changes and how they will affect data storage and customer confidentiality.
The legislation was sponsored by Rep. Steve Riggs (D-Louisville). An insurance broker by trade, Riggs argued (successfully) that Kentucky businesses were being penalized by higher cyber security insurance premiums because the state had no legislation outside of federal law.
For a city like Louisville that sits on the border with another state, it is important to have clear statutes. For example, a business that operates in Jeffersonville may have customers and staff from both states. If it suffered a security breach it would be obliged to inform Indiana staff or customers within 72 hours and has clear guidelines regarding what it must legally disclose – not so for employees who live in the bluegrass.
So what does the new legislation mean for Kentucky businesses? Douglas Brent, an attorney leading Stoll Keenon Ogden’s cyber security practice, tells Insider Louisville: “We’ve seen an avalanche of data breach, point of sale and identity theft. Mostly it’s not as sexy as hackers from abroad, and most of the time it’s ordinary employee negligence. Most people don’t experience actual fraud, only inconvenience and the business downside is limited by internal prevention, shut-off procedures and insurance. But this legislation is timely and important, to put it mildly.”
Brent says the new legislation will bring Kentucky practices up to a speed that at least matches legislation now enforced across (almost) the rest of the nation.
The new statutes should become effective in mid-July. House Bill 232 relates to private-sector businesses, creating obligations for businesses regarding what they need to know in the event of an electronic security breach.
These obligations include how long they have to notify customers or staff and whether they need to inform law enforcement (it’s worth noting that most security breaches are a result of negligence – the loss of a laptop or thumb drive – rather than as a result of criminal activity). Crucially, businesses also need to be aware of when they should hold back on communicating that information, for example, if a criminal investigation may be compromised by doing so.
These new guidelines are applicable to any business that conducts financial transactions electronically or that uses “computerized data,” which could be something as straightforward as printing sales numbers.
So, basically, any and every business.
“With this legislation being brand new there is bound to be some different interpretation of this law,” says Brent. “Basically, we will have to wait until there is a court case to see how it is interpreted by a judge. Our advice hasn’t changed, yet, despite this big change in state legislation – don’t think so much about the medium in which your information exists, think more about what it is and whether it could be personally damaging to your customer or staff if it’s lost.”
The use of encryption for personally identifiable information essentially nullifies these new obligations – but most small businesses don’t store encrypted information as it is often seen as excessively expensive for a small business. The legislation defines “personally identifiable” as first name, last name and address in combination with at least a driver’s license, Social Security number, credit or debit card numbers.
“No matter what you are selling over the Internet or however you are processing information, Federal Trade Commission (FTC) Regulation 5 is the first port of call,” says Brent. “Businesses need to make sure that their privacy policy is actually matched by what is being done. That’s probably the most common violation of the federal laws that already exist in Kentucky.
“The basic message is that anyone who is in any form of commerce here in Kentucky needs to know what the new obligations are and how they may impact business in the event of a security breach.”
For the first time the new legislation includes obligations and guidelines for cloud computing services, particularly those involved in the processing of online education, giving guidelines regarding the privacy, storage and security of students’ online records and data. Cloud computing services will also be limited in the manner and type of marketing they can target at education customers.
HB 5 imposes obligations on government agencies and 3rd-party contractors. This is intended to broadly define government agencies from cabinet level on down to suburban county government and committees. Every public institution is affected by this act, which imposes guidelines similar to HB 232.
“Anybody involved in government contracts that may involve personal detail – so not building contractors, but certainly including payroll or healthcare services — is going to be impacted by this,” Brent says. ”Agencies need to come up with best practices if they didn’t have them before and to update them if they did.”