Letter to Kentucky Senate on HB 380

March 23, 2026

The Honorable Robert Stivers
President, Kentucky Senate
Kentucky State Senate
Frankfort, KY 40601

RE: Provisions Concerning Digital Asset Hardware Wallets within House Bill 380

Dear President Stivers,

The Bitcoin Policy Institute (BPI) is a non-profit, non-partisan research and advocacy organization dedicated to advancing sound Bitcoin and digital asset policy. We write to share technical concerns about Section 33 of House Bill 380 and to respectfully urge the Kentucky Senate to remove that provision before passage. We also offer BPI as a resource to help address the underlying consumer concern through technically viable means.

Section 33 adds a new provision to KRS Chapter 369 that defines "hardware wallet provider" as "a person that offers or provides a hardware wallet" and mandates that such providers "[p]rovide a mechanism for, and assist any person who owns a hardware wallet that was provided by the provider with, resetting any password, pin, seed phrase, or other similar information that is necessary to access the contents of the hardware wallet." Violations are enforceable as unfair or deceptive trade practices by the Kentucky Attorney General under KRS 367.170, with the full range of remedies and penalties available under KRS 367.990.

A hardware wallet is a physical device to secure digital assets that generates and stores a user's cryptographic private keys offline, entirely on the device itself. When a user first sets up a hardware wallet, the device generates a seed phrase—a sequence of 12 or 24 words from which all of the user's private keys are mathematically derived—using cryptographically secure random number generation that never leaves the device. The seed phrase is never transmitted to or stored by the manufacturer, it resides entirely locally on the user's own device.

This level of user privacy is essential to ensure the security of the assets. After setup, the manufacturer has no more ability to access a user's seed phrase than a safe manufacturer has to reconstruct the combination a customer chose after taking the safe home. This design is critical for proper safekeeping of the assets. The security value of a non-custodial hardware wallet rests entirely on the assurance that no third party, including the manufacturer, can access or reconstruct the user's keys.

If in order to comply with Section 33, a hardware wallet provider were to either (1) store users' seed phrases on its own servers or (2) build a mechanism capable of remotely reconstructing them, this would constitute a "cryptographic backdoor" that would fundamentally compromise the security of every hardware wallet sold, creating a centralized repository of private keys that would be an attractive and catastrophic target for bad actors.

It is also worth noting that Section 33 does not define the term "hardware wallet," and its definition of "hardware wallet provider"—"a person that offers or provides a hardware wallet"—could reasonably be read to extend to distributors, retailers, and resellers who have no technical relationship with a device's secure element and could not fulfill this requirement under any circumstances.

Rather than protecting consumers, Section 33 could harm them in two significant ways.

● First, hardware wallet manufacturers who determined that they could not comply with a technically impossible mandate would face a stark choice: redesign their products to incorporate a backdoor, or cease serving Kentucky customers. Either outcome is harmful. The first would destroy the security model these products exist to provide, and the second would strip Kentucky consumers of the most effective tools available for secure self-custody of digital assets.

● Second, and perhaps more consequentially, this outcome would channel Kentuckians toward custodial services—exchanges and platforms that hold user funds on their behalf—which carry exactly the counterparty risk and vulnerability to institutional failure that self-custody is designed to avoid.

This outcome would also directly conflict with the policy Kentucky enacted unanimously just one year ago. House Bill 701, signed into law in March 2025, affirmed the right of individuals to use self-hosted wallets to manage digital assets without restriction. That right cannot be meaningfully exercised if the manufacturers of the devices that enable it cannot lawfully operate in Kentucky.

Our Recommendation

We strongly support the legislature's goal to protect consumers and advance Kentucky's burgeoning Bitcoin economy. To that end, BPI recommends that the Kentucky Senate remove Section 33 from HB 380 before passage. Removing Section 33 leaves entirely intact the bill's core consumer protection objectives, including the kiosk transaction limits, waiting periods, fraud mitigation requirements, and disclosure standards that represent sound and enforceable policy.

We recognize that the concern motivating Section 33 is genuine. Consumers who lose access to a hardware wallet face real difficulty, and that is a legitimate problem worth addressing. BPI would welcome the opportunity to meet with members of the Senate or their staff to discuss approaches to address that concern that are technically feasible and consistent with the security architecture these products depend upon.

Please do not hesitate to reach out. We are committed to working constructively with Kentucky policymakers and to helping the Commonwealth remain a leader in digital asset innovation and consumer protection.

Respectfully submitted,

Conner Brown
Managing Director
Bitcoin Policy Institute