Kentucky HB 5: Data Security Bill

8/13/2019 Kentucky HB 5: Data Security Bill

1/21

UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862

AN ACT relating to the safety and security of personal information held y pu lic

agencies!

S"CT#$N 1! A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$

R"A* AS &$++$%S,

Be it enacted by the General Assembly of the Commonwealth of Kentucky:

As used in Sections 1 to 4 of this Act:

(1) A!ency means:

(a) "he e#ecuti$e branch of state !o$ernment of the Commonwealth of

Kentucky%

(b) &$ery county' city' munici al cor oration' urban county !o$ernment'

charter county !o$ernment' consolidated local !o$ernment' and unified

local !o$ernment%

(c) &$ery or!ani*ational unit' de artment' di$ision' branch' section' unit'

office' administrati$e body' ro!ram cabinet' bureau' board' commission'

committee' subcommittee' ad hoc committee' council' authority' ublic

a!ency' instrumentality' intera!ency body' s ecial ur ose !o$ernmental

entity' or ublic cor oration' of an entity s ecified in ara!ra hs (a) or (b)

of this subsection or created' established' or controlled by an entity

s ecified in ara!ra hs (a) or (b) of this subsection%

(d) &$ery ublic school district in the Commonwealth of Kentucky% and

(e) &$ery ublic institution of ostsecondary education' includin! e$ery ublic

uni$ersity in the Commonwealth of Kentucky and ublic colle!e of the

entire Kentucky Community and "echnical Colle!e System+

(,) Commonwealth -ffice of "echnolo!y means the office established by K.S

4,+/,4%

(0) &ncry tion means the con$ersion of data usin! technolo!y that:

(a) eets or e#ceeds the le$el ado ted by the 2ational 3nstitute of Standards

)age 1 of 21BR-862--!1-- . 862 . 16/0 ac eted


2/21


"echnolo!y as art of the ederal 3nformation 5rocessin! Standards: and

(b) .enders the data indeci herable without the associated cry to!ra hic key to

deci her the data%

(4) 6aw enforcement a!ency means any lawfully or!ani*ed in$esti!ati$e a!ency'

sheriff7s office' olice unit' or olice force of federal' state' county' urban county

!o$ernment' charter county' city' consolidated local !o$ernment' unified local

!o$ernment' or any combination of these entities' res onsible for the detection of

crime and the enforcement of the !eneral criminal federal and state laws%

(8) 2onaffiliated third arty means any erson that:

(a) 9as a contract or a!reement with an a!ency to ro$ide ser$ices or

resources to the a!ency% and

(b) .ecei$es ersonal information from the a!ency ursuant to the contract or

a!reement%

( ) 5ersonal information means an indi$idual7s first name or first initial and last

name% ersonal mark% or uni;ue biometric or !enetic rint or ima!e' in

combination with one (1) or more of the followin! data elements:

(a) An account number' credit card number' or debit card number that' in

combination with any re;uired security code' access code' or assword'

would ermit access to an account%

(b) A Social Security number%

(c) A ta# ayer identification number%

(d) A dri$er7s license number' state identification card number' or other

indi$idual identification number issued by any a!ency%

(e) A ass ort number or other identification number issued by the


3/21


a ers' ma s' hoto!ra hs' cards' ta es' disks' diskettes' recordin!s' and

other documentary materials' re!ardless of hysical form or characteristics'

which are re ared' owned' used' in the ossession of or retained by a

ublic a!ency+

(b) 5ublic record does not include any records owned by a ri$ate erson or

cor oration that are not related to functions' acti$ities' ro!rams or

o erations funded by state or local authority%

(>) .easonable security rocedures and ractices means data security rocedures

and ractices de$elo ed in !ood faith and set forth in a written security

information olicy%

(?) Security breach means:

(a) 1+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction'

mani ulation' or release of unencry ted or unredacted records or data

that com romises or the a!ency reasonably belie$es may com romise

the security' confidentiality' or inte!rity of ersonal information% or

,+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction'

mani ulation' or release of unencry ted records or data containin!

ersonal information alon! with the confidential rocess or key to

unencry t the records or data+

(b) Security breach does not include the !ood faith ac;uisition of ersonal

information by an em loyee or a!ent of the a!ency for the ur oses of the

a!ency if the ersonal information is used for a ur ose related to the

a!ency and is not sub@ect to unauthori*ed disclosure+


R"A* AS &$++$%S,

(1) (a) An a!ency or nonaffiliated third arty that maintains or otherwise

ossesses ersonal information' re!ardless of the form in which the

)age 3 of 21BR-862--!1-- . 862 . 16/0 ac eted


4/21


5/21


,+ Any e#ecuti$e branch a!ency sub@ect to additional re;uirements shall

notify the Commonwealth -ffice of "echnolo!y of those

re;uirements' and the Commonwealth -ffice of "echnolo!y shall

maintain a list of e#ecuti$e branch a!encies !i$in! notice of

additional re;uirements' alon! with a reference to the statutory or

other citation where the re;uirements can be located+ Any unit of

!o$ernment listed under subsection (1)(b) of Section 1 of this Act or

subsection (1)(c) of Section 1 of this Act sub@ect to additional

re;uirements that are not or!ani*ational units of the e#ecuti$e branch

of state !o$ernment shall notify the e artment for 6ocal

Go$ernment of those re;uirements' and the e artment for 6ocal

Go$ernment shall maintain a list of units of !o$ernment sub@ect to

additional re;uirements' alon! with a reference to the statutory or

other citation where the re;uirements can be located+ Any ublic

school districts listed under subsection (1)(d) of Section 1 of this Act

sub@ect to additional re;uirements shall notify the Kentucky

e artment of &ducation of those re;uirements' and the Kentucky

e artment of &ducation shall maintain a list of ublic school

districts sub@ect to additional re;uirements' alon! with a reference to

the statutory or other citation where the re;uirements can be located+

Any educational entities listed under subsection (1)(e) of Section 1 of

this Act sub@ect to additional re;uirements shall notify the Council on

5ostsecondary &ducation of those re;uirements' and the Council on

5ostsecondary &ducation shall maintain a list of educational entities

sub@ect to additional re;uirements' alon! with a reference to the

statutory citation where the re;uirements can be located+

(,) (a) or a!reements e#ecuted or amended on or after Au!ust 1' ,=14' any

)age 0 of 21BR-862--!1-- . 862 . 16/0 ac eted


6/21


a!ency that contracts with a nonaffiliated third arty as a ser$ice ro$ider

and that discloses ersonal information to the nonaffiliated third arty

shall re;uire as art of that a!reement that the nonaffiliated third arty

im lement' maintain' and u date security and breach in$esti!ation

rocedures that are a ro riate to the nature of the information disclosed'

that are at least as strin!ent as the security and breach in$esti!ation

rocedures and ractices referenced in subsection (1)(b) of this section' and

that are reasonably desi!ned to rotect the ersonal information from

unauthori*ed access' use' modification' disclosure' mani ulation' or

destruction+

(b) 1+ A nonaffiliated third arty that is ro$ided access to ersonal

information by an a!ency' or that collects and maintains ersonal

information on behalf of an a!ency shall notify the a!ency within

twenty four (,4) hours of disco$ery or notification of a security

breach relatin! to the ersonal information in the ossession of the

nonaffiliated third arty+ "he notice to the a!ency shall include all

information the nonaffiliated arty has with re!ard to the security

breach at the time of notification+

,+ "he notice re;uired by this ara!ra h may be delayed if a law

enforcement a!ency notifies the nonaffiliated third arty that

notification will im ede a criminal in$esti!ation or @eo ardi*e

homeland or national security+ 3f notice is delayed ursuant to this

ara!ra h' notification shall be !i$en as soon as reasonably feasible

by the nonaffiliated third arty to the a!ency with which the

nonaffiliated third arty is contractin!+ "he a!ency shall then record

the notification in writin! on a form de$elo ed by the Commonwealth

-ffice of "echnolo!y that the notification will not im ede a criminal

)age 6 of 21BR-862--!1-- . 862 . 16/0 ac eted


7/21


in$esti!ation and will not @eo ardi*e homeland or national security+

"he Commonwealth -ffice of "echnolo!y shall romul!ate

administrati$e re!ulations under Sections 1 to 4 of this Act re!ardin!

the content of the form+


R"A* AS &$++$%S,

(1) (a) Any a!ency that collects' maintains' or stores ersonal information that

disco$ers or is notified of a security breach relatin! to ersonal information

collected' maintained' or stored by the a!ency or by an nonaffiliated third

arty on behalf of the a!ency shall as soon as ossible' but within twenty

four (,4) hours of disco$ery of the security breach:

1+ 2otify the Commissioner of the Kentucky State 5olice' the Auditor of

5ublic Accounts' and the Attorney General+ 3n addition' an a!ency

shall notify the Secretary of the inance and Administration Cabinet

or his or her desi!nee if an a!ency is an or!ani*ational unit of the

e#ecuti$e branch of state !o$ernment% notify the Commissioner of the

e artment for 6ocal Go$ernment if the a!ency is a unit of

!o$ernment listed in subsection (1)(b) of Section 1 of this Act or

subsection (1)(c) of Section 1 of this Act that is not an or!ani*ational

unit of the e#ecuti$e branch of state !o$ernment% notify the

Commissioner of the Kentucky e artment of &ducation if the

a!ency is a ublic school district listed in subsection (1)(d) of Section

1 of this Act% and notify the 5resident of the Council on

5ostsecondary &ducation if the a!ency is an educational entity listed

under subsection (1)(c) of Section 1 of this Act+ 2otification shall be

in writin! on a form de$elo ed by the Commonwealth -ffice of

"echnolo!y+ "he Commonwealth -ffice of "echnolo!y shall

)age of 21BR-862--!1-- . 862 . 16/0 ac eted


8/21


romul!ate administrati$e re!ulations under Sections 1 to 4 of this

Act re!ardin! the contents of the form+

,+ Conduct a reasonable and rom t in$esti!ation in accordance with

the security and breach in$esti!ation rocedures and ractices

referenced in subsection (1)(b) of this section to determine whether

the security breach has resulted in or is likely to result in the misuse

of the ersonal information+

(b) < on conclusion of the a!ency7s in$esti!ation:

1+ 3f the a!ency determined that a security breach has occurred and that

the misuse of ersonal information has occurred or is reasonably

likely to occur' the a!ency shall:

a+ ithin forty ei!ht (4>) hours of com letion of the in$esti!ation'

notify in writin! all officers listed in sub ara!ra h (1)(a)1+ of

this section' and the Commissioner of the e artment for

6ibraries and Archi$es' unless the ro$isions of subsection (0) of

this section a ly%

b+ ithin thirty fi$e (08) days of ro$idin! the notifications

re;uired by sub ara!ra h a+ of this ara!ra h' notify all

indi$iduals im acted by the breach as ro$ided in subsection (,)

of this section' unless the ro$isions of subsection (0) of this

section a ly% and

c+ 3f the number of indi$iduals to be notified e#ceeds one thousand

(1'===)' the a!ency shall notify' at least se$en (/) days rior to

ro$idin! notice to indi$iduals under sub ara!ra h b+ of this

ara!ra h' the Commonwealth -ffice of "echnolo!y if the

a!ency is an or!ani*ational unit of the e#ecuti$e branch of state

!o$ernment' the e artment for 6ocal Go$ernment if the

)age 8 of 21BR-862--!1-- . 862 . 16/0 ac eted


9/21


a!ency is a unit of !o$ernment listed under subsection (1)(b) of

Section 1 of this Act or subsection (1)(c) of Section 1 of this Act

that is not an or!ani*ational unit of the e#ecuti$e branch of

state !o$ernment' the Kentucky e artment of &ducation if the

a!ency is a ublic school district listed under subsection (1)(d)

of Section 1 of this Act' or the Council on 5ostsecondary

&ducation if the a!ency is an educational entity listed under

subsection (1)(e) of Section 1 of this Act% and notify all

consumer credit re ortin! a!encies included on the list

maintained by the -ffice of the Attorney General that com ile

and maintain files on consumers on a nationwide basis' as

defined in 18 1a( )' of the timin!' distribution'

and content of the notice+

,+ 3f the a!ency determines that the misuse of ersonal information has not

occurred and is not likely to occur' the a!ency is not re;uired to !i$e notice'

but shall maintain records that reflect the basis for its decision for a

retention eriod set by the State Archi$es and .ecords Commission as

established by K.S 1/1+4,=+

(,) "he ro$isions of this subsection establish the re;uirements for ro$idin! notice

to indi$iduals under subsection (1)(b)1+b+ of this section+

(a) 2otice shall be ro$ided as follows:

1+ Cons icuous ostin! of the notice on the eb site of the a!ency%

,+ 2otification to re!ional or local media if the breach is locali*ed' and

also to ma@or statewide media if the breach is wides read' includin!

broadcast media' such as radio and tele$ision% and

0+ 5ersonal communication to indi$iduals whose data has been breached

usin! the method listed in subdi$isions a+' b+' and c+ of this

)age / of 21BR-862--!1-- . 862 . 16/0 ac eted


10/21


sub ara!ra h that the a!ency belie$es is most likely to result in actual

notification to those indi$iduals' if the a!ency has the information

a$ailable:

a+ 3n writin!' sent to the most recent address for the indi$idual as

reflected in the records of the a!ency%

b+ By electronic mail' sent to the most recent electronic mail

address for the indi$idual as reflected in the records of the

a!ency' unless the indi$idual has communicated to the a!ency

in writin! that they do not want email notification% or

c+ By tele hone' to the most recent tele hone number for the

indi$idual as reflected in the records of the a!ency+

(b) "he notice shall be clear and cons icuous' and shall include:

1+ "o the e#tent ossible' a descri tion of the cate!ories of information

that were sub@ect to the security breach' includin! the elements of

ersonal information that were or were belie$ed to be ac;uired%

,+ Contact information for the notifyin! a!ency' includin! the address'

tele hone number' and toll free number if a toll free number is

maintained%

0+ A descri tion of the !eneral acts of the a!ency' e#cludin! disclosure

of defenses used for the rotection of information' to rotect the

ersonal information from further security breach%

4+ "he toll free numbers' addresses' and eb site addresses' alon! with

a statement that the indi$idual can obtain information from the

followin! sources about ste s the indi$idual may take to a$oid identity

theft' for:

a+ "he ma@or consumer credit re ortin! a!encies%

b+ "he ederal "rade Commission% and

)age 1- of 21BR-862--!1-- . 862 . 16/0 ac eted


11/21


c+ "he -ffice of the Kentucky Attorney General+

(c) "he a!ency ro$idin! notice ursuant to this subsection shall coo erate

with any in$esti!ation conducted by the a!encies notified under subsection

(1)(a) of this section and with reasonable re;uests from the -ffice of

Consumer 5rotection of the -ffice of the Attorney General' consumer

credit re ortin! a!encies' and reci ients of the notice' to $erify the

authenticity of the notice+

(0) (a) "he notices re;uired by subsection (1) of this section shall not be made if'

after consultation with a law enforcement a!ency' the a!ency recei$es a

written re;uest from a law enforcement a!ency for a delay in notification

because the notice may im ede a criminal in$esti!ation+ "he written

re;uest may a ly to some or all of the re;uired notifications' as s ecified

in the written re;uest from the law enforcement a!ency+ < on written

notification from the law enforcement a!ency that the criminal

in$esti!ation has been com leted' or that the sendin! of the re;uired

notifications will no lon!er im ede a criminal in$esti!ation' the a!ency

shall send the notices re;uired by subsection (1)(b)1+ of this section+

(b) "he notice re;uired by subsection (1)(b)1+b+ of this section may be delayed

if the a!ency determines that measures necessary to restore the reasonable

inte!rity of the data system cannot be im lemented within the timeframe

established by subsection (1)(b)1+b+ of this section' and the delay is

a ro$ed in writin! by the -ffice of the Attorney General+ 3f notice is

delayed ursuant to this subsection' notice shall be made immediately after

actions necessary to restore the inte!rity of the data system ha$e been

com leted+

(4) An a!ency that maintains data that include ersonal information that the a!ency

does not own shall notify the owner or licensee of the data of any security breach

)age 11 of 21BR-862--!1-- . 862 . 16/0 ac eted


12/21


of the data immediately u on disco$ery of the security breach+

(8) Any wai$er of the ro$isions of this section is contrary to ublic olicy and shall

be $oid and unenforceable+

( ) "his section shall not a ly to:

(a) 5ersonal information that has been redacted%

(b) 5ersonal information disclosed to a federal' state' or local !o$ernment

entity' includin! a law enforcement a!ency or court' or their a!ents'

assi!ns' em loyees' or subcontractors' to in$esti!ate or conduct criminal

in$esti!ations and arrests' delin;uent ta# assessments' or to erform any

other statutory duties and res onsibilities%

(c) 5ersonal information that is ublicly and lawfully made a$ailable to the

!eneral ublic from federal' state' or local !o$ernment records%

(d) 5ersonal information that an indi$idual has consented to ha$e ublicly

disseminated or listed% or

(e) "o any document recorded in the records of either a county clerk or circuit

clerk of a county' or in the records of a


13/21


a ro riate dis osal or destruction of records that include ersonal information

ursuant to the authority !ranted the e artment for 6ibraries and Archi$es

under Section > of this Act+

Section 0! 'RS 42! 22 is amended to read as follo5s,

As used in 'RS 42! 2- to 42! 42 7 unless the conte t re9uires other5ise:,

;1< =Communications= or =telecommunications= means any transmission7 emission7 or

reception of signs7 signals7 5ritings7 images7 and sounds of intelligence of any nature

y 5ire7 radio7 optical7 or other electromagnetic systems7 and includes all facilities

and e9uipment performing these functions>

;2< =?eographic information system= or =?#S= means a computeri@ed data ase

management system for the capture7 storage7 retrie al7 analysis7 and display of spatial

or locationally defined data>

;3< =#nformation resources= means the procedures7 e9uipment7 and soft5are that are

designed7 uilt7 operated7 and maintained to collect7 record7 process7 store7 retrie e7

display7 and transmit information7 and associated personnel>

;4< =#nformation technology= means data processing and telecommunications hard5are7

soft5are7 ser ices7 supplies7 facilities7 maintenance7 and training that are used to

support information processing and telecommunications systems to include

geographic information systems> and:

;0< 5ersonal information has the same meanin! as in Section 1 of this Act%

( ) =)ro ect= means a program to pro ide information technologies support to functions

5ithin an e ecuti e ranch state agency7 5hich should e characteri@ed y 5ell.

defined parameters7 specific o ecti es7 common enefits7 planned acti ities7

e pected outcomes and completion dates7 and an esta lished udget 5ith a specified

source of funding! % and

(/) Security breach has the same meanin! as in Section 1 of this Act+

Section 6! 'RS 42! 26 is amended to read as follo5s,

)age 13 of 21BR-862--!1-- . 862 . 16/0 ac eted


14/21


;1< The roles and duties of the Common5ealth $ffice of Technology shall include ut

not e limited to,

;a< )ro iding technical support and ser ices to all e ecuti e agencies of state

go ernment in the application of information technology>

; < Assuring compati ility and connecti ity of 'entuc y s information systems>

;c< *e eloping strategies and policies to support and promote the effecti e

applications of information technology 5ithin state go ernment as a means of

sa ing money7 increasing employee producti ity7 and impro ing state ser ices

to the pu lic7 including electronic pu lic access to information of the

Common5ealth>

;d< *e eloping7 implementing7 and managing strategic information technology

directions7 standards7 and enterprise architecture7 including implementing

necessary management processes to assure full compliance 5ith those

directions7 standards7 and architecture ! This specifically includes ut is not

limited to directions7 standards7 and architecture related to the pri acy and

confidentiality of data collected and stored y state agencies:>

;e< )romoting effecti e and efficient design and operation of all ma or information

resources management processes for e ecuti e ranch agencies7 including

impro ements to 5or processes>

;f< *e eloping7 implementing7 and maintaining the technology infrastructure of

the Common5ealth>

;g< &acilitating and fostering applied research in emerging technologies that offer

the Common5ealth inno ati e usiness solutions>

;h< Re ie5ing and o erseeing large or comple information technology pro ects

and systems for compliance 5ith state5ide strategies7 policies7 and standards7

including alignment 5ith the Common5ealth s usiness goals7 in estment7 and

other ris management policies! The e ecuti e director is authori@ed to grant

)age 14 of 21BR-862--!1-- . 862 . 16/0 ac eted


15/21


or 5ithhold appro al to initiate these pro ects>

;i< #ntegrating information technology resources to pro ide effecti e and

supporta le information technology applications in the Common5ealth>

; < "sta lishing a central state5ide geographic information clearinghouse to

maintain map in entories7 information on current and planned geographic

information systems applications7 information on grants a aila le for the

ac9uisition or enhancement of geographic information resources7 and a

directory of geographic information resources a aila le 5ithin the state or

from the federal go ernment>

; < Coordinating multiagency information technology pro ects7 including

o erseeing the de elopment and maintenance of state5ide ase maps and

geographic information systems>

;l< )ro iding access to oth consulting and technical assistance7 and education

and training7 on the application and use of information technologies to state

and local agencies>

;m< #n cooperation 5ith other agencies7 e aluating7 participating in pilot studies7

and ma ing recommendations on information technology hard5are and

soft5are>

;n< )ro iding staff support and technical assistance to the ?eographic #nformation

Ad isory Council and the 'entuc y #nformation Technology Ad isory

Council>

;o< $ erseeing the de elopment of a state5ide geographic information plan 5ith

input from the ?eographic #nformation Ad isory Council %> and:

;p< e$elo in! for state e#ecuti$e branch a!encies a coordinated security

framework and model !o$ernance structure relatin! to the ri$acy and

confidentiality of ersonal information collected and stored by state

e#ecuti$e branch a!encies' includin! but not limited to:

)age 10 of 21BR-862--!1-- . 862 . 16/0 ac eted


16/21


1+ 3dentification of key infrastructure com onents and how to secure

them%

,+ &stablishment of a common benchmark that measures the

effecti$eness of security' includin! continuous monitorin! and

automation of defenses%

0+ 3m lementation of $ulnerability scannin! and other security

assessments%

4+ 5ro$ision of trainin!' orientation ro!rams' and other

communications that increase awareness of the im ortance of

security amon! a!ency em loyees res onsible for ersonal

information% and

8+ e$elo ment of and makin! a$ailable a cyber security incident

res onse lan and rocedure+

(;) )reparing proposed legislation and funding proposals for the ?eneral Assem ly

that 5ill further solidify coordination and e pedite implementation of

information technology systems!

;2< The Common5ealth $ffice of Technology may,

;a< )ro ide general consulting ser ices7 technical training7 and support for generic

soft5are applications7 upon re9uest from a local go ernment7 if the e ecuti e

director finds that the re9uested ser ices can e rendered 5ithin the esta lished

terms of the federally appro ed cost allocation plan>

; < )romulgate administrati e regulations in accordance 5ith 'RS Chapter 13A

necessary for the implementation of 'RS 42! 2- to 42! 427 40!2037 1 1!42-7

186A!-4-7 186A!2807 and 1/4A!146>

;c< Solicit7 recei e7 and consider proposals from any state agency7 federal agency7

local go ernment7 uni ersity7 nonprofit organi@ation7 pri ate person7 or

corporation>

)age 16 of 21BR-862--!1-- . 862 . 16/0 ac eted


17/21


;d< Solicit and accept money y grant7 gift7 donation7 e9uest7 legislati e

appropriation7 or other con eyance to e held7 used7 and applied in accordance

5ith 'RS 42! 2- to 42! 427 40!2037 1 1!42-7 186A!-4-7 186A!2807 and

1/4A!146>

;e< Da e and enter into memoranda of agreement and contracts necessary or

incidental to the performance of duties and e ecution of its po5ers7 including7

ut not limited to7 agreements or contracts 5ith the Enited States7 other state

agencies7 and any go ernmental su di ision of the Common5ealth>

;f< Accept grants from the Enited States go ernment and its agencies and

instrumentalities7 and from any source7 other than any person7 firm7 or

corporation7 or any director7 officer7 or agent thereof that manufactures or sells

information resources technology e9uipment7 goods7 or ser ices! To these

ends7 the Common5ealth $ffice of Technology shall ha e the po5er to

comply 5ith those conditions and e ecute those agreements that are necessary7

con enient7 or desira le> and

;g< )urchase interest in contractual ser ices7 rentals of all types7 supplies7

materials7 e9uipment7 and other ser ices to e used in the research and

de elopment of eneficial applications of information resources technologies!

Competiti e ids may not e re9uired for,

1! Ne5 and emerging technologies as appro ed y the e ecuti e director or

her or his designee> or

2! Related professional7 technical7 or scientific ser ices7 ut contracts shall

e su mitted in accordance 5ith 'RS 40A!6/- to 40A! 20!

;3< Nothing in this section shall e construed to alter or diminish the pro isions of 'RS

1 1!41- to 1 1! 4- or the authority con eyed y these statutes to the Archi es and

Records Commission and the *epartment for +i raries and Archi es!

(4) "he Commonwealth -ffice of "echnolo!y shall' on or before -ctober 1 of each

)age 1 of 21BR-862--!1-- . 862 . 16/0 ac eted


18/21


year' submit to the 6e!islati$e .esearch Commission a re ort in accordance with

K.S 8/+0?= detailin!:

(a) Any security breaches that occurred within or!ani*ational units of the

e#ecuti$e branch of state !o$ernment durin! the rior fiscal year that

re;uired notification to the Commonwealth -ffice of "echnolo!y under

Section , of this Act%

(b) Actions taken to resol$e the security breach' and to re$ent additional

security breaches in the future%

(c) A !eneral descri tion of what actions are taken as a matter of course to

rotect ersonal data from security breaches% and

(d) Any ;uantifiable financial im act to the a!ency re ortin! a security

breach+

Section ! 'RS 42! 32 is amended to read as follo5s,

;1< There is here y created the 'entuc y #nformation Technology Ad isory Council to,

;a< Ad ise the e ecuti e director of the Common5ealth $ffice of Technology on

approaches to coordinating information technology solutions among li raries7

pu lic schools7 local go ernments7 uni ersities7 and other pu lic entities> and:

; < Ad$ise the e#ecuti$e director of the Commonwealth -ffice of "echnolo!y

on coordination amon! and across the or!ani*ational units of the e#ecuti$e

branch of state !o$ernment to re are for' res ond to' and re$ent attacks%

and

(c) )ro ide a forum for the discussion of emerging technologies that enhance

electronic accessi ility to arious pu licly funded sources of information and

ser ices!

;2< The 'entuc y #nformation Technology Ad isory Council shall consist of,

;a< The state udget director or a designee>

; < The state li rarian or a designee>

)age 18 of 21BR-862--!1-- . 862 . 16/0 ac eted


19/21


;c< $ne ;1< representati e from the pu lic uni ersities to e appointed y the

?o ernor from a list of three ;3< persons su mitted y the Council on

)ostsecondary "ducation>

;d< Three ;3< citi@en mem ers from the pri ate sector 5ith information technology

no5ledge and e perience appointed y the ?o ernor>

;e< T5o ;2< representati es of local go ernment appointed y the ?o ernor>

;f< $ne ;1< representati e from the area de elopment districts appointed y the

?o ernor from a list of names su mitted y the e ecuti e directors of the area

de elopment districts>

;g< $ne ;1< mem er of the media appointed y the ?o ernor>

;h< The e ecuti e director of the 'entuc y Authority for "ducational Tele ision>

;i< The chair of the )u lic Ser ice Commission or a designee>

; < T5o ;2< mem ers of the 'entuc y ?eneral Assem ly7 one ;1< from each

cham er7 selected y the +egislati e Research Commission>

; < $ne ;1< representati e of the Administrati e $ffice of the Courts>

;l< $ne ;1< representati e from the pu lic schools system appointed y the

?o ernor>

;m< $ne ;1< representati e of the 'entuc y Cham er of Commerce> and

;n< The e ecuti e director of the Common5ealth $ffice of Technology!

;3< Appointed mem ers of the council shall ser e for a term of t5o ;2< years! Dem ers

5ho ser e y irtue of an office shall ser e on the council 5hile they hold the office!

;4< Facancies on the council shall e filled in the same manner as the original

appointments! #f a nominating organi@ation changes its name7 its successor

organi@ation ha ing the same responsi ilities and purposes shall e the nominating

organi@ation!

;0< Dem ers shall recei e no compensation ut shall recei e reim ursement for actual

and necessary e penses in accordance 5ith tra el and su sistence re9uirements

)age 1/ of 21BR-862--!1-- . 862 . 16/0 ac eted


20/21


esta lished y the &inance and Administration Ca inet!

Section 8! 'RS 1 1!40- is amended to read as follo5s,

;1< The department shall esta lish,

;a< )rocedures for the compilation and su mission to the department of lists and

schedules of pu lic records proposed for disposal>

; < )rocedures for the disposal or destruction of pu lic records authori@ed for

disposal or destruction ' includin! a ro riate rocedures to rotect a!ainst

unauthori*ed access to or use of ersonal information as defined by Section

1 of this Act >

;c< Standards and procedures for recording7 managing7 and preser ing pu lic

records and for the reproduction of pu lic records y photographic or

microphotographic process>

;d< )rocedures for collection and distri ution y the central depository of all

reports and pu lications7 e cept the 'entuc y Re ised Statutes editions7 issued

y any department7 oard7 commission7 officer or other agency of the

Common5ealth for general pu lic distri ution after uly 17 1/08!

;2< The department shall enforce the pro isions of 'RS 1 1!41- to 1 1! 4- y

appropriate rules and regulations!

;3< The department shall ma e copies of such rules and regulations a aila le to all

officials affected y 'RS 1 1!41- to 1 1! 4- su ect to the pro isions of 'RS

Chapter 13A!

;4< Such rules and regulations 5hen appro ed y the department shall e inding on all

state and local agencies7 su ect to the pro isions of 'RS Chapter 13A! The

department shall perform any acts deemed necessary7 legal and proper to carry out

the duties and responsi ilities imposed upon it pursuant to the authority granted

herein!

Section /! 'RS 1 1!68- is amended to read as follo5s,

)age 2- of 21BR-862--!1-- . 862 . 16/0 ac eted


21/21


;1< The head of each state and local agency shall esta lish and maintain an acti e7

continuing program for the economical and efficient management of the records of

the agency!

;2< Such program shall pro ide for,

;a< "ffecti e controls o er the creation7 maintenance7 and use of records in the

conduct of current usiness>

; < Cooperation 5ith the department in applying standards7 procedures7 and

techni9ues designed to impro e the management of records>

;c< )romotion of the maintenance and security of records deemed appropriate for

preser ation7 and facilitation of the segregation and disposal of records of

temporary alue>

;d< Compliance 5ith the pro isions of 'RS 1 1!41- to 1 1! 4- and the rules and

regulations of the department : and

(e) Com liance with the ro$isions of Sections 1 to 4 of this Act !

)age 21 of 21

Kentucky HB 5: Data Security Bill

Documents

Transcript of Kentucky HB 5: Data Security Bill