FRANKFORT, Ky. (AP) — A bill aimed at blocking hackers and requiring government agencies to notify Kentuckians when cyber thieves do steal personal information from government computers picked up momentum on Thursday.
The measure won a quick endorsement from the House State Government Committee. With 74 House co-sponsors, split between Democrats and Republicans, the bill appears to be on solid footing in that chamber.
Governments stockpile large amounts of private information from its citizens, said state Auditor Adam Edelen, who helped craft the legislation. When that information is lost or stolen, a government agency has an obligation to notify the people affected, he said.
"From Social Security numbers to tax returns, health records and credit cards, governments possess more sensitive, private data than any other single entity," he said. "As residents of Kentucky, it is your data. So it's your right to be notified when it's lost or stolen so you can protect yourself."
The bill would require state and local government agencies to notify people affected by a cybersecurity breach within 35 days of the incident. Notification would be provided on the agency's website and to the media, and affected individuals would be notified by phone, mail or email.
Kentucky is among four states without a law requiring government to notify people of such breaches, Edelen said.
The bill also would require notification of law enforcement and the auditor's office when a government's computers are hacked and personal information is stolen.
The bill also calls for steps to strengthen cybersecurity protections.
It would require agencies to encrypt personal information. It also calls for the Commonwealth Office of Technology to establish cybersecurity training for agencies.
Senate Majority Leader Damon Thayer later said the GOP-led Senate would take a look at the measure once it reaches that chamber, but that he had some questions about it.
"I want to make sure that we're not talking about an unfunded mandate on local governments before we speed it through the Senate," Thayer said.
Edelen, a Democrat, said a review of the bill found it would have a "minimum financial impact" on government agencies. He said any agency that puts money into a computer system that collects personal information "doesn't have a defense to say it's too expensive to protect that data."
Edelen pointed to a massive security breach at South Carolina's tax collection agency a couple of years ago as further incentive to toughen Kentucky's cybersecurity.
About 6.4 million people and businesses had their data, such as Social Security and bank account numbers, stolen in the hacking of computers at the Department of Revenue in South Carolina.
Smaller cyber breaches have occurred in Kentucky, state officials said. In 2012, a state agency unintentionally posted Social Security numbers and other sensitive information on its website for two days.
The bill would cover local governments and a broad swath of state government. It wouldn't apply to the state's judicial and legislative branches, but it encourages those branches to take the same steps.
The measure would take effect next Jan. 1, giving agencies time to ratchet up their cyber protections, Edelen said.
The legislation is House Bill 5.