8/13/2019 Kentucky HB 5: Data Security Bill
1/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
AN ACT relating to the safety and security of personal information held y pu lic
agencies!
S"CT#$N 1! A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$
R"A* AS &$++$%S,
Be it enacted by the General Assembly of the Commonwealth of Kentucky:
As used in Sections 1 to 4 of this Act:
(1) A!ency means:
(a) "he e#ecuti$e branch of state !o$ernment of the Commonwealth of
Kentucky%
(b) &$ery county' city' munici al cor oration' urban county !o$ernment'
charter county !o$ernment' consolidated local !o$ernment' and unified
local !o$ernment%
(c) &$ery or!ani*ational unit' de artment' di$ision' branch' section' unit'
office' administrati$e body' ro!ram cabinet' bureau' board' commission'
committee' subcommittee' ad hoc committee' council' authority' ublic
a!ency' instrumentality' intera!ency body' s ecial ur ose !o$ernmental
entity' or ublic cor oration' of an entity s ecified in ara!ra hs (a) or (b)
of this subsection or created' established' or controlled by an entity
s ecified in ara!ra hs (a) or (b) of this subsection%
(d) &$ery ublic school district in the Commonwealth of Kentucky% and
(e) &$ery ublic institution of ostsecondary education' includin! e$ery ublic
uni$ersity in the Commonwealth of Kentucky and ublic colle!e of the
entire Kentucky Community and "echnical Colle!e System+
(,) Commonwealth -ffice of "echnolo!y means the office established by K.S
4,+/,4%
(0) &ncry tion means the con$ersion of data usin! technolo!y that:
(a) eets or e#ceeds the le$el ado ted by the 2ational 3nstitute of Standards
)age 1 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
2/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
"echnolo!y as art of the ederal 3nformation 5rocessin! Standards: and
(b) .enders the data indeci herable without the associated cry to!ra hic key to
deci her the data%
(4) 6aw enforcement a!ency means any lawfully or!ani*ed in$esti!ati$e a!ency'
sheriff7s office' olice unit' or olice force of federal' state' county' urban county
!o$ernment' charter county' city' consolidated local !o$ernment' unified local
!o$ernment' or any combination of these entities' res onsible for the detection of
crime and the enforcement of the !eneral criminal federal and state laws%
(8) 2onaffiliated third arty means any erson that:
(a) 9as a contract or a!reement with an a!ency to ro$ide ser$ices or
resources to the a!ency% and
(b) .ecei$es ersonal information from the a!ency ursuant to the contract or
a!reement%
( ) 5ersonal information means an indi$idual7s first name or first initial and last
name% ersonal mark% or uni;ue biometric or !enetic rint or ima!e' in
combination with one (1) or more of the followin! data elements:
(a) An account number' credit card number' or debit card number that' in
combination with any re;uired security code' access code' or assword'
would ermit access to an account%
(b) A Social Security number%
(c) A ta# ayer identification number%
(d) A dri$er7s license number' state identification card number' or other
indi$idual identification number issued by any a!ency%
(e) A ass ort number or other identification number issued by the
8/13/2019 Kentucky HB 5: Data Security Bill
3/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
a ers' ma s' hoto!ra hs' cards' ta es' disks' diskettes' recordin!s' and
other documentary materials' re!ardless of hysical form or characteristics'
which are re ared' owned' used' in the ossession of or retained by a
ublic a!ency+
(b) 5ublic record does not include any records owned by a ri$ate erson or
cor oration that are not related to functions' acti$ities' ro!rams or
o erations funded by state or local authority%
(>) .easonable security rocedures and ractices means data security rocedures
and ractices de$elo ed in !ood faith and set forth in a written security
information olicy%
(?) Security breach means:
(a) 1+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction'
mani ulation' or release of unencry ted or unredacted records or data
that com romises or the a!ency reasonably belie$es may com romise
the security' confidentiality' or inte!rity of ersonal information% or
,+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction'
mani ulation' or release of unencry ted records or data containin!
ersonal information alon! with the confidential rocess or key to
unencry t the records or data+
(b) Security breach does not include the !ood faith ac;uisition of ersonal
information by an em loyee or a!ent of the a!ency for the ur oses of the
a!ency if the ersonal information is used for a ur ose related to the
a!ency and is not sub@ect to unauthori*ed disclosure+
S"CT#$N 2! A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$
R"A* AS &$++$%S,
(1) (a) An a!ency or nonaffiliated third arty that maintains or otherwise
ossesses ersonal information' re!ardless of the form in which the
)age 3 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
4/21
8/13/2019 Kentucky HB 5: Data Security Bill
5/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
,+ Any e#ecuti$e branch a!ency sub@ect to additional re;uirements shall
notify the Commonwealth -ffice of "echnolo!y of those
re;uirements' and the Commonwealth -ffice of "echnolo!y shall
maintain a list of e#ecuti$e branch a!encies !i$in! notice of
additional re;uirements' alon! with a reference to the statutory or
other citation where the re;uirements can be located+ Any unit of
!o$ernment listed under subsection (1)(b) of Section 1 of this Act or
subsection (1)(c) of Section 1 of this Act sub@ect to additional
re;uirements that are not or!ani*ational units of the e#ecuti$e branch
of state !o$ernment shall notify the e artment for 6ocal
Go$ernment of those re;uirements' and the e artment for 6ocal
Go$ernment shall maintain a list of units of !o$ernment sub@ect to
additional re;uirements' alon! with a reference to the statutory or
other citation where the re;uirements can be located+ Any ublic
school districts listed under subsection (1)(d) of Section 1 of this Act
sub@ect to additional re;uirements shall notify the Kentucky
e artment of &ducation of those re;uirements' and the Kentucky
e artment of &ducation shall maintain a list of ublic school
districts sub@ect to additional re;uirements' alon! with a reference to
the statutory or other citation where the re;uirements can be located+
Any educational entities listed under subsection (1)(e) of Section 1 of
this Act sub@ect to additional re;uirements shall notify the Council on
5ostsecondary &ducation of those re;uirements' and the Council on
5ostsecondary &ducation shall maintain a list of educational entities
sub@ect to additional re;uirements' alon! with a reference to the
statutory citation where the re;uirements can be located+
(,) (a) or a!reements e#ecuted or amended on or after Au!ust 1' ,=14' any
)age 0 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
6/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
a!ency that contracts with a nonaffiliated third arty as a ser$ice ro$ider
and that discloses ersonal information to the nonaffiliated third arty
shall re;uire as art of that a!reement that the nonaffiliated third arty
im lement' maintain' and u date security and breach in$esti!ation
rocedures that are a ro riate to the nature of the information disclosed'
that are at least as strin!ent as the security and breach in$esti!ation
rocedures and ractices referenced in subsection (1)(b) of this section' and
that are reasonably desi!ned to rotect the ersonal information from
unauthori*ed access' use' modification' disclosure' mani ulation' or
destruction+
(b) 1+ A nonaffiliated third arty that is ro$ided access to ersonal
information by an a!ency' or that collects and maintains ersonal
information on behalf of an a!ency shall notify the a!ency within
twenty four (,4) hours of disco$ery or notification of a security
breach relatin! to the ersonal information in the ossession of the
nonaffiliated third arty+ "he notice to the a!ency shall include all
information the nonaffiliated arty has with re!ard to the security
breach at the time of notification+
,+ "he notice re;uired by this ara!ra h may be delayed if a law
enforcement a!ency notifies the nonaffiliated third arty that
notification will im ede a criminal in$esti!ation or @eo ardi*e
homeland or national security+ 3f notice is delayed ursuant to this
ara!ra h' notification shall be !i$en as soon as reasonably feasible
by the nonaffiliated third arty to the a!ency with which the
nonaffiliated third arty is contractin!+ "he a!ency shall then record
the notification in writin! on a form de$elo ed by the Commonwealth
-ffice of "echnolo!y that the notification will not im ede a criminal
)age 6 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
7/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
in$esti!ation and will not @eo ardi*e homeland or national security+
"he Commonwealth -ffice of "echnolo!y shall romul!ate
administrati$e re!ulations under Sections 1 to 4 of this Act re!ardin!
the content of the form+
S"CT#$N 3! A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$
R"A* AS &$++$%S,
(1) (a) Any a!ency that collects' maintains' or stores ersonal information that
disco$ers or is notified of a security breach relatin! to ersonal information
collected' maintained' or stored by the a!ency or by an nonaffiliated third
arty on behalf of the a!ency shall as soon as ossible' but within twenty
four (,4) hours of disco$ery of the security breach:
1+ 2otify the Commissioner of the Kentucky State 5olice' the Auditor of
5ublic Accounts' and the Attorney General+ 3n addition' an a!ency
shall notify the Secretary of the inance and Administration Cabinet
or his or her desi!nee if an a!ency is an or!ani*ational unit of the
e#ecuti$e branch of state !o$ernment% notify the Commissioner of the
e artment for 6ocal Go$ernment if the a!ency is a unit of
!o$ernment listed in subsection (1)(b) of Section 1 of this Act or
subsection (1)(c) of Section 1 of this Act that is not an or!ani*ational
unit of the e#ecuti$e branch of state !o$ernment% notify the
Commissioner of the Kentucky e artment of &ducation if the
a!ency is a ublic school district listed in subsection (1)(d) of Section
1 of this Act% and notify the 5resident of the Council on
5ostsecondary &ducation if the a!ency is an educational entity listed
under subsection (1)(c) of Section 1 of this Act+ 2otification shall be
in writin! on a form de$elo ed by the Commonwealth -ffice of
"echnolo!y+ "he Commonwealth -ffice of "echnolo!y shall
)age of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
8/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
romul!ate administrati$e re!ulations under Sections 1 to 4 of this
Act re!ardin! the contents of the form+
,+ Conduct a reasonable and rom t in$esti!ation in accordance with
the security and breach in$esti!ation rocedures and ractices
referenced in subsection (1)(b) of this section to determine whether
the security breach has resulted in or is likely to result in the misuse
of the ersonal information+
(b) < on conclusion of the a!ency7s in$esti!ation:
1+ 3f the a!ency determined that a security breach has occurred and that
the misuse of ersonal information has occurred or is reasonably
likely to occur' the a!ency shall:
a+ ithin forty ei!ht (4>) hours of com letion of the in$esti!ation'
notify in writin! all officers listed in sub ara!ra h (1)(a)1+ of
this section' and the Commissioner of the e artment for
6ibraries and Archi$es' unless the ro$isions of subsection (0) of
this section a ly%
b+ ithin thirty fi$e (08) days of ro$idin! the notifications
re;uired by sub ara!ra h a+ of this ara!ra h' notify all
indi$iduals im acted by the breach as ro$ided in subsection (,)
of this section' unless the ro$isions of subsection (0) of this
section a ly% and
c+ 3f the number of indi$iduals to be notified e#ceeds one thousand
(1'===)' the a!ency shall notify' at least se$en (/) days rior to
ro$idin! notice to indi$iduals under sub ara!ra h b+ of this
ara!ra h' the Commonwealth -ffice of "echnolo!y if the
a!ency is an or!ani*ational unit of the e#ecuti$e branch of state
!o$ernment' the e artment for 6ocal Go$ernment if the
)age 8 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
9/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
a!ency is a unit of !o$ernment listed under subsection (1)(b) of
Section 1 of this Act or subsection (1)(c) of Section 1 of this Act
that is not an or!ani*ational unit of the e#ecuti$e branch of
state !o$ernment' the Kentucky e artment of &ducation if the
a!ency is a ublic school district listed under subsection (1)(d)
of Section 1 of this Act' or the Council on 5ostsecondary
&ducation if the a!ency is an educational entity listed under
subsection (1)(e) of Section 1 of this Act% and notify all
consumer credit re ortin! a!encies included on the list
maintained by the -ffice of the Attorney General that com ile
and maintain files on consumers on a nationwide basis' as
defined in 18 1a( )' of the timin!' distribution'
and content of the notice+
,+ 3f the a!ency determines that the misuse of ersonal information has not
occurred and is not likely to occur' the a!ency is not re;uired to !i$e notice'
but shall maintain records that reflect the basis for its decision for a
retention eriod set by the State Archi$es and .ecords Commission as
established by K.S 1/1+4,=+
(,) "he ro$isions of this subsection establish the re;uirements for ro$idin! notice
to indi$iduals under subsection (1)(b)1+b+ of this section+
(a) 2otice shall be ro$ided as follows:
1+ Cons icuous ostin! of the notice on the eb site of the a!ency%
,+ 2otification to re!ional or local media if the breach is locali*ed' and
also to ma@or statewide media if the breach is wides read' includin!
broadcast media' such as radio and tele$ision% and
0+ 5ersonal communication to indi$iduals whose data has been breached
usin! the method listed in subdi$isions a+' b+' and c+ of this
)age / of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
10/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
sub ara!ra h that the a!ency belie$es is most likely to result in actual
notification to those indi$iduals' if the a!ency has the information
a$ailable:
a+ 3n writin!' sent to the most recent address for the indi$idual as
reflected in the records of the a!ency%
b+ By electronic mail' sent to the most recent electronic mail
address for the indi$idual as reflected in the records of the
a!ency' unless the indi$idual has communicated to the a!ency
in writin! that they do not want email notification% or
c+ By tele hone' to the most recent tele hone number for the
indi$idual as reflected in the records of the a!ency+
(b) "he notice shall be clear and cons icuous' and shall include:
1+ "o the e#tent ossible' a descri tion of the cate!ories of information
that were sub@ect to the security breach' includin! the elements of
ersonal information that were or were belie$ed to be ac;uired%
,+ Contact information for the notifyin! a!ency' includin! the address'
tele hone number' and toll free number if a toll free number is
maintained%
0+ A descri tion of the !eneral acts of the a!ency' e#cludin! disclosure
of defenses used for the rotection of information' to rotect the
ersonal information from further security breach%
4+ "he toll free numbers' addresses' and eb site addresses' alon! with
a statement that the indi$idual can obtain information from the
followin! sources about ste s the indi$idual may take to a$oid identity
theft' for:
a+ "he ma@or consumer credit re ortin! a!encies%
b+ "he ederal "rade Commission% and
)age 1- of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
11/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
c+ "he -ffice of the Kentucky Attorney General+
(c) "he a!ency ro$idin! notice ursuant to this subsection shall coo erate
with any in$esti!ation conducted by the a!encies notified under subsection
(1)(a) of this section and with reasonable re;uests from the -ffice of
Consumer 5rotection of the -ffice of the Attorney General' consumer
credit re ortin! a!encies' and reci ients of the notice' to $erify the
authenticity of the notice+
(0) (a) "he notices re;uired by subsection (1) of this section shall not be made if'
after consultation with a law enforcement a!ency' the a!ency recei$es a
written re;uest from a law enforcement a!ency for a delay in notification
because the notice may im ede a criminal in$esti!ation+ "he written
re;uest may a ly to some or all of the re;uired notifications' as s ecified
in the written re;uest from the law enforcement a!ency+ < on written
notification from the law enforcement a!ency that the criminal
in$esti!ation has been com leted' or that the sendin! of the re;uired
notifications will no lon!er im ede a criminal in$esti!ation' the a!ency
shall send the notices re;uired by subsection (1)(b)1+ of this section+
(b) "he notice re;uired by subsection (1)(b)1+b+ of this section may be delayed
if the a!ency determines that measures necessary to restore the reasonable
inte!rity of the data system cannot be im lemented within the timeframe
established by subsection (1)(b)1+b+ of this section' and the delay is
a ro$ed in writin! by the -ffice of the Attorney General+ 3f notice is
delayed ursuant to this subsection' notice shall be made immediately after
actions necessary to restore the inte!rity of the data system ha$e been
com leted+
(4) An a!ency that maintains data that include ersonal information that the a!ency
does not own shall notify the owner or licensee of the data of any security breach
)age 11 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
12/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
of the data immediately u on disco$ery of the security breach+
(8) Any wai$er of the ro$isions of this section is contrary to ublic olicy and shall
be $oid and unenforceable+
( ) "his section shall not a ly to:
(a) 5ersonal information that has been redacted%
(b) 5ersonal information disclosed to a federal' state' or local !o$ernment
entity' includin! a law enforcement a!ency or court' or their a!ents'
assi!ns' em loyees' or subcontractors' to in$esti!ate or conduct criminal
in$esti!ations and arrests' delin;uent ta# assessments' or to erform any
other statutory duties and res onsibilities%
(c) 5ersonal information that is ublicly and lawfully made a$ailable to the
!eneral ublic from federal' state' or local !o$ernment records%
(d) 5ersonal information that an indi$idual has consented to ha$e ublicly
disseminated or listed% or
(e) "o any document recorded in the records of either a county clerk or circuit
clerk of a county' or in the records of a
8/13/2019 Kentucky HB 5: Data Security Bill
13/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
a ro riate dis osal or destruction of records that include ersonal information
ursuant to the authority !ranted the e artment for 6ibraries and Archi$es
under Section > of this Act+
Section 0! 'RS 42! 22 is amended to read as follo5s,
As used in 'RS 42! 2- to 42! 42 7 unless the conte t re9uires other5ise:,
;1< =Communications= or =telecommunications= means any transmission7 emission7 or
reception of signs7 signals7 5ritings7 images7 and sounds of intelligence of any nature
y 5ire7 radio7 optical7 or other electromagnetic systems7 and includes all facilities
and e9uipment performing these functions>
;2< =?eographic information system= or =?#S= means a computeri@ed data ase
management system for the capture7 storage7 retrie al7 analysis7 and display of spatial
or locationally defined data>
;3< =#nformation resources= means the procedures7 e9uipment7 and soft5are that are
designed7 uilt7 operated7 and maintained to collect7 record7 process7 store7 retrie e7
display7 and transmit information7 and associated personnel>
;4< =#nformation technology= means data processing and telecommunications hard5are7
soft5are7 ser ices7 supplies7 facilities7 maintenance7 and training that are used to
support information processing and telecommunications systems to include
geographic information systems> and:
;0< 5ersonal information has the same meanin! as in Section 1 of this Act%
( ) =)ro ect= means a program to pro ide information technologies support to functions
5ithin an e ecuti e ranch state agency7 5hich should e characteri@ed y 5ell.
defined parameters7 specific o ecti es7 common enefits7 planned acti ities7
e pected outcomes and completion dates7 and an esta lished udget 5ith a specified
source of funding! % and
(/) Security breach has the same meanin! as in Section 1 of this Act+
Section 6! 'RS 42! 26 is amended to read as follo5s,
)age 13 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
14/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
;1< The roles and duties of the Common5ealth $ffice of Technology shall include ut
not e limited to,
;a< )ro iding technical support and ser ices to all e ecuti e agencies of state
go ernment in the application of information technology>
; < Assuring compati ility and connecti ity of 'entuc y s information systems>
;c< *e eloping strategies and policies to support and promote the effecti e
applications of information technology 5ithin state go ernment as a means of
sa ing money7 increasing employee producti ity7 and impro ing state ser ices
to the pu lic7 including electronic pu lic access to information of the
Common5ealth>
;d< *e eloping7 implementing7 and managing strategic information technology
directions7 standards7 and enterprise architecture7 including implementing
necessary management processes to assure full compliance 5ith those
directions7 standards7 and architecture ! This specifically includes ut is not
limited to directions7 standards7 and architecture related to the pri acy and
confidentiality of data collected and stored y state agencies:>
;e< )romoting effecti e and efficient design and operation of all ma or information
resources management processes for e ecuti e ranch agencies7 including
impro ements to 5or processes>
;f< *e eloping7 implementing7 and maintaining the technology infrastructure of
the Common5ealth>
;g< &acilitating and fostering applied research in emerging technologies that offer
the Common5ealth inno ati e usiness solutions>
;h< Re ie5ing and o erseeing large or comple information technology pro ects
and systems for compliance 5ith state5ide strategies7 policies7 and standards7
including alignment 5ith the Common5ealth s usiness goals7 in estment7 and
other ris management policies! The e ecuti e director is authori@ed to grant
)age 14 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
15/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
or 5ithhold appro al to initiate these pro ects>
;i< #ntegrating information technology resources to pro ide effecti e and
supporta le information technology applications in the Common5ealth>
; < "sta lishing a central state5ide geographic information clearinghouse to
maintain map in entories7 information on current and planned geographic
information systems applications7 information on grants a aila le for the
ac9uisition or enhancement of geographic information resources7 and a
directory of geographic information resources a aila le 5ithin the state or
from the federal go ernment>
; < Coordinating multiagency information technology pro ects7 including
o erseeing the de elopment and maintenance of state5ide ase maps and
geographic information systems>
;l< )ro iding access to oth consulting and technical assistance7 and education
and training7 on the application and use of information technologies to state
and local agencies>
;m< #n cooperation 5ith other agencies7 e aluating7 participating in pilot studies7
and ma ing recommendations on information technology hard5are and
soft5are>
;n< )ro iding staff support and technical assistance to the ?eographic #nformation
Ad isory Council and the 'entuc y #nformation Technology Ad isory
Council>
;o< $ erseeing the de elopment of a state5ide geographic information plan 5ith
input from the ?eographic #nformation Ad isory Council %> and:
;p< e$elo in! for state e#ecuti$e branch a!encies a coordinated security
framework and model !o$ernance structure relatin! to the ri$acy and
confidentiality of ersonal information collected and stored by state
e#ecuti$e branch a!encies' includin! but not limited to:
)age 10 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
16/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
1+ 3dentification of key infrastructure com onents and how to secure
them%
,+ &stablishment of a common benchmark that measures the
effecti$eness of security' includin! continuous monitorin! and
automation of defenses%
0+ 3m lementation of $ulnerability scannin! and other security
assessments%
4+ 5ro$ision of trainin!' orientation ro!rams' and other
communications that increase awareness of the im ortance of
security amon! a!ency em loyees res onsible for ersonal
information% and
8+ e$elo ment of and makin! a$ailable a cyber security incident
res onse lan and rocedure+
(;) )reparing proposed legislation and funding proposals for the ?eneral Assem ly
that 5ill further solidify coordination and e pedite implementation of
information technology systems!
;2< The Common5ealth $ffice of Technology may,
;a< )ro ide general consulting ser ices7 technical training7 and support for generic
soft5are applications7 upon re9uest from a local go ernment7 if the e ecuti e
director finds that the re9uested ser ices can e rendered 5ithin the esta lished
terms of the federally appro ed cost allocation plan>
; < )romulgate administrati e regulations in accordance 5ith 'RS Chapter 13A
necessary for the implementation of 'RS 42! 2- to 42! 427 40!2037 1 1!42-7
186A!-4-7 186A!2807 and 1/4A!146>
;c< Solicit7 recei e7 and consider proposals from any state agency7 federal agency7
local go ernment7 uni ersity7 nonprofit organi@ation7 pri ate person7 or
corporation>
)age 16 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
17/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
;d< Solicit and accept money y grant7 gift7 donation7 e9uest7 legislati e
appropriation7 or other con eyance to e held7 used7 and applied in accordance
5ith 'RS 42! 2- to 42! 427 40!2037 1 1!42-7 186A!-4-7 186A!2807 and
1/4A!146>
;e< Da e and enter into memoranda of agreement and contracts necessary or
incidental to the performance of duties and e ecution of its po5ers7 including7
ut not limited to7 agreements or contracts 5ith the Enited States7 other state
agencies7 and any go ernmental su di ision of the Common5ealth>
;f< Accept grants from the Enited States go ernment and its agencies and
instrumentalities7 and from any source7 other than any person7 firm7 or
corporation7 or any director7 officer7 or agent thereof that manufactures or sells
information resources technology e9uipment7 goods7 or ser ices! To these
ends7 the Common5ealth $ffice of Technology shall ha e the po5er to
comply 5ith those conditions and e ecute those agreements that are necessary7
con enient7 or desira le> and
;g< )urchase interest in contractual ser ices7 rentals of all types7 supplies7
materials7 e9uipment7 and other ser ices to e used in the research and
de elopment of eneficial applications of information resources technologies!
Competiti e ids may not e re9uired for,
1! Ne5 and emerging technologies as appro ed y the e ecuti e director or
her or his designee> or
2! Related professional7 technical7 or scientific ser ices7 ut contracts shall
e su mitted in accordance 5ith 'RS 40A!6/- to 40A! 20!
;3< Nothing in this section shall e construed to alter or diminish the pro isions of 'RS
1 1!41- to 1 1! 4- or the authority con eyed y these statutes to the Archi es and
Records Commission and the *epartment for +i raries and Archi es!
(4) "he Commonwealth -ffice of "echnolo!y shall' on or before -ctober 1 of each
)age 1 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
18/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
year' submit to the 6e!islati$e .esearch Commission a re ort in accordance with
K.S 8/+0?= detailin!:
(a) Any security breaches that occurred within or!ani*ational units of the
e#ecuti$e branch of state !o$ernment durin! the rior fiscal year that
re;uired notification to the Commonwealth -ffice of "echnolo!y under
Section , of this Act%
(b) Actions taken to resol$e the security breach' and to re$ent additional
security breaches in the future%
(c) A !eneral descri tion of what actions are taken as a matter of course to
rotect ersonal data from security breaches% and
(d) Any ;uantifiable financial im act to the a!ency re ortin! a security
breach+
Section ! 'RS 42! 32 is amended to read as follo5s,
;1< There is here y created the 'entuc y #nformation Technology Ad isory Council to,
;a< Ad ise the e ecuti e director of the Common5ealth $ffice of Technology on
approaches to coordinating information technology solutions among li raries7
pu lic schools7 local go ernments7 uni ersities7 and other pu lic entities> and:
; < Ad$ise the e#ecuti$e director of the Commonwealth -ffice of "echnolo!y
on coordination amon! and across the or!ani*ational units of the e#ecuti$e
branch of state !o$ernment to re are for' res ond to' and re$ent attacks%
and
(c) )ro ide a forum for the discussion of emerging technologies that enhance
electronic accessi ility to arious pu licly funded sources of information and
ser ices!
;2< The 'entuc y #nformation Technology Ad isory Council shall consist of,
;a< The state udget director or a designee>
; < The state li rarian or a designee>
)age 18 of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
19/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
;c< $ne ;1< representati e from the pu lic uni ersities to e appointed y the
?o ernor from a list of three ;3< persons su mitted y the Council on
)ostsecondary "ducation>
;d< Three ;3< citi@en mem ers from the pri ate sector 5ith information technology
no5ledge and e perience appointed y the ?o ernor>
;e< T5o ;2< representati es of local go ernment appointed y the ?o ernor>
;f< $ne ;1< representati e from the area de elopment districts appointed y the
?o ernor from a list of names su mitted y the e ecuti e directors of the area
de elopment districts>
;g< $ne ;1< mem er of the media appointed y the ?o ernor>
;h< The e ecuti e director of the 'entuc y Authority for "ducational Tele ision>
;i< The chair of the )u lic Ser ice Commission or a designee>
; < T5o ;2< mem ers of the 'entuc y ?eneral Assem ly7 one ;1< from each
cham er7 selected y the +egislati e Research Commission>
; < $ne ;1< representati e of the Administrati e $ffice of the Courts>
;l< $ne ;1< representati e from the pu lic schools system appointed y the
?o ernor>
;m< $ne ;1< representati e of the 'entuc y Cham er of Commerce> and
;n< The e ecuti e director of the Common5ealth $ffice of Technology!
;3< Appointed mem ers of the council shall ser e for a term of t5o ;2< years! Dem ers
5ho ser e y irtue of an office shall ser e on the council 5hile they hold the office!
;4< Facancies on the council shall e filled in the same manner as the original
appointments! #f a nominating organi@ation changes its name7 its successor
organi@ation ha ing the same responsi ilities and purposes shall e the nominating
organi@ation!
;0< Dem ers shall recei e no compensation ut shall recei e reim ursement for actual
and necessary e penses in accordance 5ith tra el and su sistence re9uirements
)age 1/ of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
20/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
esta lished y the &inance and Administration Ca inet!
Section 8! 'RS 1 1!40- is amended to read as follo5s,
;1< The department shall esta lish,
;a< )rocedures for the compilation and su mission to the department of lists and
schedules of pu lic records proposed for disposal>
; < )rocedures for the disposal or destruction of pu lic records authori@ed for
disposal or destruction ' includin! a ro riate rocedures to rotect a!ainst
unauthori*ed access to or use of ersonal information as defined by Section
1 of this Act >
;c< Standards and procedures for recording7 managing7 and preser ing pu lic
records and for the reproduction of pu lic records y photographic or
microphotographic process>
;d< )rocedures for collection and distri ution y the central depository of all
reports and pu lications7 e cept the 'entuc y Re ised Statutes editions7 issued
y any department7 oard7 commission7 officer or other agency of the
Common5ealth for general pu lic distri ution after uly 17 1/08!
;2< The department shall enforce the pro isions of 'RS 1 1!41- to 1 1! 4- y
appropriate rules and regulations!
;3< The department shall ma e copies of such rules and regulations a aila le to all
officials affected y 'RS 1 1!41- to 1 1! 4- su ect to the pro isions of 'RS
Chapter 13A!
;4< Such rules and regulations 5hen appro ed y the department shall e inding on all
state and local agencies7 su ect to the pro isions of 'RS Chapter 13A! The
department shall perform any acts deemed necessary7 legal and proper to carry out
the duties and responsi ilities imposed upon it pursuant to the authority granted
herein!
Section /! 'RS 1 1!68- is amended to read as follo5s,
)age 2- of 21BR-862--!1-- . 862 . 16/0 ac eted
8/13/2019 Kentucky HB 5: Data Security Bill
21/21
UNOFFICIAL COPY AS OF 01/21/14 14 REG. SESS. 14 RS BR 862
;1< The head of each state and local agency shall esta lish and maintain an acti e7
continuing program for the economical and efficient management of the records of
the agency!
;2< Such program shall pro ide for,
;a< "ffecti e controls o er the creation7 maintenance7 and use of records in the
conduct of current usiness>
; < Cooperation 5ith the department in applying standards7 procedures7 and
techni9ues designed to impro e the management of records>
;c< )romotion of the maintenance and security of records deemed appropriate for
preser ation7 and facilitation of the segregation and disposal of records of
temporary alue>
;d< Compliance 5ith the pro isions of 'RS 1 1!41- to 1 1! 4- and the rules and
regulations of the department : and
(e) Com liance with the ro$isions of Sections 1 to 4 of this Act !
)age 21 of 21