Kentucky Governor Andy Beshear signed Senate Bill 267, also known as the “Anti-Doxing Bill,” into law in April, making it a crime to disseminate personal identifying information with the intent to intimidate, abuse, threaten, harass, or frighten. The new law became effective on June 29, 2021 and is one of the first of its kind in the country. In addition to potential criminal penalties, the new law also provides Kentuckians, and their immediate family and household members, with a private cause of action to recover potentially extensive penalties, including punitive damages and attorney’s fees awards, against disseminators who violate the law.
To bring a civil claim, a Kentucky resident’s personal identifying information must be published, posted, or otherwise disclosed to a public internet site or public forum. The law defines “personal identifying information” as information that identifies or reasonably can be used to identify an individual. Examples include, but are not limited to:
- Social Security number or other government-issued identifier;
- Date of birth;
- Home or physical address;
- Electronic-mail address or telephone number;
- Financial account number or credit or debit card number;
- Biometric, health, or medical data, or insurance information; or
- School or employment locations.
For a Kentucky resident to successfully bring a claim, the disseminator must have intentionally disseminated the personal identifying information with an intent to intimidate, abuse, threaten, harass, or frighten. Further, the dissemination is required to cause a reasonable person to be in fear of physical injury to himself or an immediate family member or household member.
Plaintiffs who prove these elements may recover their actual damages, punitive damages, court costs, as well as attorney’s fees from disseminators of the personally identifying information. All persons found liable are jointly and severally liable with others who commit the same violation, potentially creating financial risk for those who share posts containing personally identifying information. The law specifically omits broadband internet access service providers, telecommunication service providers, interconnected VoIP provider, mobile service providers, and commercial mobile service providers from civil liability when acting as a provider of those services under specific federal laws.
To minimize any impact this law may have on the business community, companies may want to consider adopting an acceptable use policy for internet access they make available to customers, vendors, members of the public, or employees, in consultation with counsel. In addition, Kentucky’s adoption of the Anti-Doxing Bill provides a good opportunity for businesses to review their data privacy and protection policies.
Frost Brown Todd will continue to follow this law and provide updates as it relates to the application of Kentucky’s anti-doxing law. For more information or help navigating this new law, please contact Justin Fowles or Michelle Fox with Frost Brown Todd’s Tort Defense practice group.