UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

AN ACT relating to the safety and security of personal information held y pu lic agencies! S"CT#$N 1! R"A* AS &$++$%S, Be it enacted by the General Assembly of the Commonwealth of Kentucky: As used in Sections 1 to 4 of this Act: (1) A!ency means: (a) "he e#ecuti$e branch of state !o$ernment of the Commonwealth of Kentucky% (b) &$ery county' city' munici(al cor(oration' urban)county !o$ernment' charter county !o$ernment' consolidated local !o$ernment' and unified local !o$ernment% (c) &$ery or!ani*ational unit' de(artment' di$ision' branch' section' unit' office' administrati$e body' (ro!ram cabinet' bureau' board' commission' committee' subcommittee' ad hoc committee' council' authority' (ublic a!ency' instrumentality' intera!ency body' s(ecial (ur(ose !o$ernmental entity' or (ublic cor(oration' of an entity s(ecified in (ara!ra(hs (a) or (b) of this subsection or created' established' or controlled by an entity s(ecified in (ara!ra(hs (a) or (b) of this subsection% (d) (e) &$ery (ublic school district in the Commonwealth of Kentucky% and &$ery (ublic institution of (ostsecondary education' includin! e$ery (ublic uni$ersity in the Commonwealth of Kentucky and (ublic colle!e of the entire Kentucky Community and "echnical Colle!e System+ (,) Commonwealth -ffice of "echnolo!y 4,+/,4% (0) &ncry(tion means the con$ersion of data usin! technolo!y that: (a) 1eets or e#ceeds the le$el ado(ted by the 2ational 3nstitute of Standards
)age 1 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$

means the office established by K.S

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

"echnolo!y as (art of the 4ederal 3nformation 5rocessin! Standards: and (b) .enders the data indeci(herable without the associated cry(to!ra(hic key to deci(her the data% (4) 6aw enforcement a!ency means any lawfully or!ani*ed in$esti!ati$e a!ency' sheriff7s office' (olice unit' or (olice force of federal' state' county' urban)county !o$ernment' charter county' city' consolidated local !o$ernment' unified local !o$ernment' or any combination of these entities' res(onsible for the detection of crime and the enforcement of the !eneral criminal federal and state laws% (8) 2onaffiliated third (arty means any (erson that: (a) 9as a contract or a!reement with an a!ency to (ro$ide ser$ices or resources to the a!ency% and (b) .ecei$es (ersonal information from the a!ency (ursuant to the contract or a!reement% (:) 5ersonal information means an indi$idual7s first name or first initial and last name% (ersonal mark% or uni;ue biometric or !enetic (rint or ima!e' in combination with one (1) or more of the followin! data elements: (a) An account number' credit card number' or debit card number that' in combination with any re;uired security code' access code' or (assword' would (ermit access to an account% (b) (c) (d) A Social Security number% A ta#(ayer identification number% A dri$er7s license number' state identification card number' or other indi$idual identification number issued by any a!ency% (e) A (ass(ort number or other identification number issued by the <nited States !o$ernment% or (f) (/) (a) 1edical information% 5ublic record or record' as established by K.S 1/1+41=' means all books'
)age 2 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

(a(ers' ma(s' (hoto!ra(hs' cards' ta(es' disks' diskettes' recordin!s' and other documentary materials' re!ardless of (hysical form or characteristics' which are (re(ared' owned' used' in the (ossession of or retained by a (ublic a!ency+ (b) 5ublic record does not include any records owned by a (ri$ate (erson or cor(oration that are not related to functions' acti$ities' (ro!rams or o(erations funded by state or local authority% (>) .easonable security (rocedures and (ractices means data security (rocedures and (ractices de$elo(ed in !ood faith and set forth in a written security information (olicy% (?) Security breach means: (a) 1+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction' mani(ulation' or release of unencry(ted or unredacted records or data that com(romises or the a!ency reasonably belie$es may com(romise the security' confidentiality' or inte!rity of (ersonal information% or ,+ "he unauthori*ed ac;uisition' distribution' disclosure' destruction' mani(ulation' or release of unencry(ted records or data containin! (ersonal information alon! with the confidential (rocess or key to unencry(t the records or data+ (b) Security breach does not include the !ood)faith ac;uisition of (ersonal information by an em(loyee or a!ent of the a!ency for the (ur(oses of the a!ency if the (ersonal information is used for a (ur(ose related to the a!ency and is not sub@ect to unauthori*ed disclosure+ S"CT#$N 2! R"A* AS &$++$%S, (1) (a) An a!ency or nonaffiliated third (arty that maintains or otherwise (ossesses (ersonal information' re!ardless of the form in which the
)age 3 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

(ersonal information is maintained' shall im(lement' maintain' and u(date security (rocedures and (ractices' includin! takin! any a((ro(riate correcti$e action' to (rotect and safe!uard a!ainst security breaches+ (b) .easonable security and breach in$esti!ation (rocedures and (ractices established and im(lemented by or!ani*ational units of the e#ecuti$e branch of state !o$ernment shall be in accordance with rele$ant enter(rise (olicies established by the Commonwealth -ffice of "echnolo!y+ .easonable security and breach in$esti!ation (rocedures and (ractices established and im(lemented by units of !o$ernment listed under subsection (1)(b) of Section 1 of this Act and subsection (1)(c) of Section 1 of this Act that are not or!ani*ational units of the e#ecuti$e branch of state !o$ernment shall be in accordance with (olicies established by the Ae(artment for 6ocal Go$ernment+ .easonable security and breach in$esti!ation (rocedures and (ractices established and im(lemented by (ublic school districts listed under subsection (1)(d) of Section 1 of this Act shall be in accordance with (olicies established by the Kentucky Ae(artment of &ducation+ .easonable security and breach in$esti!ation (rocedures and (ractices established and im(lemented by educational entities listed under subsection (1)(e) of Section 1 of this Act shall be in accordance with (olicies established by the Council on 5ostsecondary &ducation+ (c) 1+ 3f an a!ency is sub@ect to any additional re;uirements under the Kentucky .e$ised Statutes' or under federal law' (rotocols or a!reements relatin! to the (rotection and (ri$acy of (ersonal information' the a!ency shall com(ly with these additional re;uirements' in addition to the re;uirements of Sections 1 to 4 of this Act+
)age 4 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

,+

Any e#ecuti$e branch a!ency sub@ect to additional re;uirements shall notify the Commonwealth -ffice of "echnolo!y of those

re;uirements' and the Commonwealth -ffice of "echnolo!y shall maintain a list of e#ecuti$e branch a!encies !i$in! notice of additional re;uirements' alon! with a reference to the statutory or other citation where the re;uirements can be located+ Any unit of !o$ernment listed under subsection (1)(b) of Section 1 of this Act or subsection (1)(c) of Section 1 of this Act sub@ect to additional re;uirements that are not or!ani*ational units of the e#ecuti$e branch of state !o$ernment shall notify the Ae(artment for 6ocal Go$ernment of those re;uirements' and the Ae(artment for 6ocal Go$ernment shall maintain a list of units of !o$ernment sub@ect to additional re;uirements' alon! with a reference to the statutory or other citation where the re;uirements can be located+ Any (ublic school districts listed under subsection (1)(d) of Section 1 of this Act sub@ect to additional re;uirements shall notify the Kentucky Ae(artment of &ducation of those re;uirements' and the Kentucky Ae(artment of &ducation shall maintain a list of (ublic school districts sub@ect to additional re;uirements' alon! with a reference to the statutory or other citation where the re;uirements can be located+ Any educational entities listed under subsection (1)(e) of Section 1 of this Act sub@ect to additional re;uirements shall notify the Council on 5ostsecondary &ducation of those re;uirements' and the Council on 5ostsecondary &ducation shall maintain a list of educational entities sub@ect to additional re;uirements' alon! with a reference to the statutory citation where the re;uirements can be located+ (,) (a) 4or a!reements e#ecuted or amended on or after Au!ust 1' ,=14' any
)age 0 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

a!ency that contracts with a nonaffiliated third (arty as a ser$ice (ro$ider and that discloses (ersonal information to the nonaffiliated third (arty shall re;uire as (art of that a!reement that the nonaffiliated third (arty im(lement' maintain' and u(date security and breach in$esti!ation (rocedures that are a((ro(riate to the nature of the information disclosed' that are at least as strin!ent as the security and breach in$esti!ation (rocedures and (ractices referenced in subsection (1)(b) of this section' and that are reasonably desi!ned to (rotect the (ersonal information from unauthori*ed access' use' modification' disclosure' mani(ulation' or destruction+ (b) 1+ A nonaffiliated third (arty that is (ro$ided access to (ersonal information by an a!ency' or that collects and maintains (ersonal information on behalf of an a!ency shall notify the a!ency within twenty)four (,4) hours of disco$ery or notification of a security breach relatin! to the (ersonal information in the (ossession of the nonaffiliated third (arty+ "he notice to the a!ency shall include all information the nonaffiliated (arty has with re!ard to the security breach at the time of notification+ ,+ "he notice re;uired by this (ara!ra(h may be delayed if a law enforcement a!ency notifies the nonaffiliated third (arty that notification will im(ede a criminal in$esti!ation or @eo(ardi*e homeland or national security+ 3f notice is delayed (ursuant to this (ara!ra(h' notification shall be !i$en as soon as reasonably feasible by the nonaffiliated third (arty to the a!ency with which the nonaffiliated third (arty is contractin!+ "he a!ency shall then record the notification in writin! on a form de$elo(ed by the Commonwealth -ffice of "echnolo!y that the notification will not im(ede a criminal
)age 6 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

in$esti!ation and will not @eo(ardi*e homeland or national security+ "he Commonwealth -ffice of "echnolo!y shall (romul!ate

administrati$e re!ulations under Sections 1 to 4 of this Act re!ardin! the content of the form+ S"CT#$N 3! R"A* AS &$++$%S, (1) (a) Any a!ency that collects' maintains' or stores (ersonal information that disco$ers or is notified of a security breach relatin! to (ersonal information collected' maintained' or stored by the a!ency or by an nonaffiliated third) (arty on behalf of the a!ency shall as soon as (ossible' but within twenty) four (,4) hours of disco$ery of the security breach: 1+ 2otify the Commissioner of the Kentucky State 5olice' the Auditor of 5ublic Accounts' and the Attorney General+ 3n addition' an a!ency shall notify the Secretary of the 4inance and Administration Cabinet or his or her desi!nee if an a!ency is an or!ani*ational unit of the e#ecuti$e branch of state !o$ernment% notify the Commissioner of the Ae(artment for 6ocal Go$ernment if the a!ency is a unit of !o$ernment listed in subsection (1)(b) of Section 1 of this Act or subsection (1)(c) of Section 1 of this Act that is not an or!ani*ational unit of the e#ecuti$e branch of state !o$ernment% notify the Commissioner of the Kentucky Ae(artment of &ducation if the a!ency is a (ublic school district listed in subsection (1)(d) of Section 1 of this Act% and notify the 5resident of the Council on 5ostsecondary &ducation if the a!ency is an educational entity listed under subsection (1)(c) of Section 1 of this Act+ 2otification shall be in writin! on a form de$elo(ed by the Commonwealth -ffice of "echnolo!y+ "he Commonwealth -ffice of "echnolo!y shall
)age 4 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

(romul!ate administrati$e re!ulations under Sections 1 to 4 of this Act re!ardin! the contents of the form+ ,+ Conduct a reasonable and (rom(t in$esti!ation in accordance with the security and breach in$esti!ation (rocedures and (ractices referenced in subsection (1)(b) of this section to determine whether the security breach has resulted in or is likely to result in the misuse of the (ersonal information+ (b) <(on conclusion of the a!ency7s in$esti!ation: 1+ 3f the a!ency determined that a security breach has occurred and that the misuse of (ersonal information has occurred or is reasonably likely to occur' the a!ency shall: a+ Bithin forty)ei!ht (4>) hours of com(letion of the in$esti!ation' notify in writin! all officers listed in sub(ara!ra(h (1)(a)1+ of this section' and the Commissioner of the Ae(artment for 6ibraries and Archi$es' unless the (ro$isions of subsection (0) of this section a((ly% b+ Bithin thirty)fi$e (08) days of (ro$idin! the notifications re;uired by sub(ara!ra(h a+ of this (ara!ra(h' notify all indi$iduals im(acted by the breach as (ro$ided in subsection (,) of this section' unless the (ro$isions of subsection (0) of this section a((ly% and c+ 3f the number of indi$iduals to be notified e#ceeds one thousand (1'===)' the a!ency shall notify' at least se$en (/) days (rior to (ro$idin! notice to indi$iduals under sub(ara!ra(h b+ of this (ara!ra(h' the Commonwealth -ffice of "echnolo!y if the a!ency is an or!ani*ational unit of the e#ecuti$e branch of state !o$ernment' the Ae(artment for 6ocal Go$ernment if the
)age 8 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

a!ency is a unit of !o$ernment listed under subsection (1)(b) of Section 1 of this Act or subsection (1)(c) of Section 1 of this Act that is not an or!ani*ational unit of the e#ecuti$e branch of state !o$ernment' the Kentucky Ae(artment of &ducation if the a!ency is a (ublic school district listed under subsection (1)(d) of Section 1 of this Act' or the Council on 5ostsecondary &ducation if the a!ency is an educational entity listed under subsection (1)(e) of Section 1 of this Act% and notify all consumer credit re(ortin! a!encies included on the list maintained by the -ffice of the Attorney General that com(ile and maintain files on consumers on a nationwide basis' as defined in 18 <+S+C+ sec+ 1:>1a(()' of the timin!' distribution' and content of the notice+ ,+ 3f the a!ency determines that the misuse of (ersonal information has not occurred and is not likely to occur' the a!ency is not re;uired to !i$e notice' but shall maintain records that reflect the basis for its decision for a retention (eriod set by the State Archi$es and .ecords Commission as established by K.S 1/1+4,=+ (,) "he (ro$isions of this subsection establish the re;uirements for (ro$idin! notice to indi$iduals under subsection (1)(b)1+b+ of this section+ (a) 2otice shall be (ro$ided as follows: 1+ ,+ Cons(icuous (ostin! of the notice on the Beb site of the a!ency% 2otification to re!ional or local media if the breach is locali*ed' and also to ma@or statewide media if the breach is wides(read' includin! broadcast media' such as radio and tele$ision% and 0+ 5ersonal communication to indi$iduals whose data has been breached usin! the method listed in subdi$isions a+' b+' and c+ of this
)age / of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

sub(ara!ra(h that the a!ency belie$es is most likely to result in actual notification to those indi$iduals' if the a!ency has the information a$ailable: a+ 3n writin!' sent to the most recent address for the indi$idual as reflected in the records of the a!ency% b+ By electronic mail' sent to the most recent electronic mail address for the indi$idual as reflected in the records of the a!ency' unless the indi$idual has communicated to the a!ency in writin! that they do not want email notification% or c+ By tele(hone' to the most recent tele(hone number for the indi$idual as reflected in the records of the a!ency+ (b) "he notice shall be clear and cons(icuous' and shall include: 1+ "o the e#tent (ossible' a descri(tion of the cate!ories of information that were sub@ect to the security breach' includin! the elements of (ersonal information that were or were belie$ed to be ac;uired% ,+ Contact information for the notifyin! a!ency' includin! the address' tele(hone number' and toll)free number if a toll)free number is maintained% 0+ A descri(tion of the !eneral acts of the a!ency' e#cludin! disclosure of defenses used for the (rotection of information' to (rotect the (ersonal information from further security breach% 4+ "he toll)free numbers' addresses' and Beb site addresses' alon! with a statement that the indi$idual can obtain information from the followin! sources about ste(s the indi$idual may take to a$oid identity theft' for: a+ b+
BR-862--!1-- . 862 . 16/0

"he ma@or consumer credit re(ortin! a!encies% "he 4ederal "rade Commission% and
)age 1- of 21
1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

c+ (c)

"he -ffice of the Kentucky Attorney General+

"he a!ency (ro$idin! notice (ursuant to this subsection shall coo(erate with any in$esti!ation conducted by the a!encies notified under subsection (1)(a) of this section and with reasonable re;uests from the -ffice of Consumer 5rotection of the -ffice of the Attorney General' consumer credit re(ortin! a!encies' and reci(ients of the notice' to $erify the authenticity of the notice+

(0)

(a)

"he notices re;uired by subsection (1) of this section shall not be made if' after consultation with a law enforcement a!ency' the a!ency recei$es a written re;uest from a law enforcement a!ency for a delay in notification because the notice may im(ede a criminal in$esti!ation+ "he written re;uest may a((ly to some or all of the re;uired notifications' as s(ecified in the written re;uest from the law enforcement a!ency+ <(on written notification from the law enforcement a!ency that the criminal in$esti!ation has been com(leted' or that the sendin! of the re;uired notifications will no lon!er im(ede a criminal in$esti!ation' the a!ency shall send the notices re;uired by subsection (1)(b)1+ of this section+

(b)

"he notice re;uired by subsection (1)(b)1+b+ of this section may be delayed if the a!ency determines that measures necessary to restore the reasonable inte!rity of the data system cannot be im(lemented within the timeframe established by subsection (1)(b)1+b+ of this section' and the delay is a((ro$ed in writin! by the -ffice of the Attorney General+ 3f notice is delayed (ursuant to this subsection' notice shall be made immediately after actions necessary to restore the inte!rity of the data system ha$e been com(leted+

(4)

An a!ency that maintains data that include (ersonal information that the a!ency does not own shall notify the owner or licensee of the data of any security breach
)age 11 of 21

BR-862--!1-- . 862 . 16/0

1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

of the data immediately u(on disco$ery of the security breach+ (8) Any wai$er of the (ro$isions of this section is contrary to (ublic (olicy and shall be $oid and unenforceable+ (:) "his section shall not a((ly to: (a) (b) 5ersonal information that has been redacted% 5ersonal information disclosed to a federal' state' or local !o$ernment entity' includin! a law enforcement a!ency or court' or their a!ents' assi!ns' em(loyees' or subcontractors' to in$esti!ate or conduct criminal in$esti!ations and arrests' delin;uent ta# assessments' or to (erform any other statutory duties and res(onsibilities% (c) 5ersonal information that is (ublicly and lawfully made a$ailable to the !eneral (ublic from federal' state' or local !o$ernment records% (d) 5ersonal information that an indi$idual has consented to ha$e (ublicly disseminated or listed% or (e) "o any document recorded in the records of either a county clerk or circuit clerk of a county' or in the records of a <nited States Aistrict Court+ (/) "he -ffice of the Attorney General may brin! an action in the 4ranklin Circuit Court a!ainst an a!ency or a nonaffiliated third (arty ser$ice (ro$ider of an a!ency' or both' for in@uncti$e relief or other le!al remedies to enforce the (ro$isions of Sections 1 to 4 of this Act+ S"CT#$N 4! A N"% S"CT#$N $& 'RS C(A)T"R 61 #S CR"AT"* T$

R"A* AS &$++$%S, (1) "he le!islati$e and @udicial branches of state !o$ernment shall im(lement' maintain' and u(date reasonable security (rocedures and (ractices' includin! takin! any a((ro(riate correcti$e action' to (rotect and safe!uard a!ainst security breaches consistent with Sections 1 throu!h 4 of this Act+ (,) "he Ae(artment for 6ibraries and Archi$es shall establish (rocedures for the
)age 12 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

a((ro(riate dis(osal or destruction of records that include (ersonal information (ursuant to the authority !ranted the Ae(artment for 6ibraries and Archi$es under Section > of this Act+ Section 0! 'RS 42!422 is amended to read as follo5s, As used in 'RS 42!42- to 42!44267 unless the conte8t re9uires other5ise:, ;1< =Communications= or =telecommunications= means any transmission7 emission7 or reception of signs7 signals7 5ritings7 images7 and sounds of intelligence of any nature y 5ire7 radio7 optical7 or other electromagnetic systems7 and includes all facilities and e9uipment performing these functions> ;2< =?eographic information system= or =?#S= means a computeri@ed data ase management system for the capture7 storage7 retrieAal7 analysis7 and display of spatial or locationally defined data> ;3< =#nformation resources= means the procedures7 e9uipment7 and soft5are that are designed7 uilt7 operated7 and maintained to collect7 record7 process7 store7 retrieAe7 display7 and transmit information7 and associated personnel> ;4< =#nformation technology= means data processing and telecommunications hard5are7 soft5are7 serAices7 supplies7 facilities7 maintenance7 and training that are used to support information processing and telecommunications systems to include geographic information systems>6 and: ;0< (:) 5ersonal information has the same meanin! as in Section 1 of this Act% =)roBect= means a program to proAide information technologies support to functions 5ithin an e8ecutiAe ranch state agency7 5hich should e characteri@ed y 5ell. defined parameters7 specific o BectiAes7 common enefits7 planned actiAities7

e8pected outcomes and completion dates7 and an esta lished udget 5ith a specified source of funding!% and (/) Security breach has the same meanin! as in Section 1 of this Act+ Section 6! 'RS 42!426 is amended to read as follo5s,
)age 13 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

;1<

The roles and duties of the Common5ealth $ffice of Technology shall include ut not e limited to, ;a< )roAiding technical support and serAices to all e8ecutiAe agencies of state goAernment in the application of information technology> ; < ;c< Assuring compati ility and connectiAity of 'entuc2yCs information systems> *eAeloping strategies and policies to support and promote the effectiAe applications of information technology 5ithin state goAernment as a means of saAing money7 increasing employee productiAity7 and improAing state serAices to the pu lic7 including electronic pu lic access to information of the Common5ealth> ;d< *eAeloping7 implementing7 and managing strategic information technology directions7 standards7 and enterprise architecture7 including implementing necessary management processes to assure full compliance 5ith those directions7 standards7 and architecture6! This specifically includes ut is not limited to directions7 standards7 and architecture related to the priAacy and confidentiality of data collected and stored y state agencies:> ;e< )romoting effectiAe and efficient design and operation of all maBor information resources management processes for e8ecutiAe improAements to 5or2 processes> ;f< *eAeloping7 implementing7 and maintaining the technology infrastructure of the Common5ealth> ;g< &acilitating and fostering applied research in emerging technologies that offer the Common5ealth innoAatiAe usiness solutions> ;h< ReAie5ing and oAerseeing large or comple8 information technology proBects and systems for compliance 5ith state5ide strategies7 policies7 and standards7 including alignment 5ith the Common5ealthCs usiness goals7 inAestment7 and other ris2 management policies! The e8ecutiAe director is authori@ed to grant
)age 14 of 21

ranch agencies7 including

BR-862--!1-- . 862 . 16/0

1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

or 5ithhold approAal to initiate these proBects> ;i< #ntegrating information technology resources to proAide effectiAe and supporta le information technology applications in the Common5ealth> ;B< "sta lishing a central state5ide geographic information clearinghouse to maintain map inAentories7 information on current and planned geographic information systems applications7 information on grants aAaila le for the ac9uisition or enhancement of geographic information resources7 and a directory of geographic information resources aAaila le 5ithin the state or from the federal goAernment> ;2< Coordinating multiagency information technology proBects7 including

oAerseeing the deAelopment and maintenance of state5ide geographic information systems> ;l<

ase maps and

)roAiding access to oth consulting and technical assistance7 and education and training7 on the application and use of information technologies to state and local agencies>

;m< #n cooperation 5ith other agencies7 eAaluating7 participating in pilot studies7 and ma2ing recommendations on information technology hard5are and soft5are> ;n< )roAiding staff support and technical assistance to the ?eographic #nformation AdAisory Council and the 'entuc2y #nformation Technology AdAisory Council> ;o< $Aerseeing the deAelopment of a state5ide geographic information plan 5ith input from the ?eographic #nformation AdAisory Council%6> and: ;p< Ae$elo(in! for state e#ecuti$e branch a!encies a coordinated security framework and model !o$ernance structure relatin! to the (ri$acy and confidentiality of (ersonal information collected and stored by state e#ecuti$e branch a!encies' includin! but not limited to:
)age 10 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

1+

3dentification of key infrastructure com(onents and how to secure them%

,+

&stablishment of a common benchmark that measures the effecti$eness of security' includin! continuous monitorin! and automation of defenses%

0+

3m(lementation of $ulnerability scannin! and other security assessments%

4+

5ro$ision

of

trainin!'

orientation

(ro!rams'

and

other

communications that increase awareness of the im(ortance of security amon! a!ency em(loyees res(onsible for (ersonal

information% and 8+ Ae$elo(ment of and makin! a$ailable a cyber security incident res(onse (lan and (rocedure+ (;) )reparing proposed legislation and funding proposals for the ?eneral Assem ly that 5ill further solidify coordination and e8pedite implementation of information technology systems! ;2< The Common5ealth $ffice of Technology may, ;a< )roAide general consulting serAices7 technical training7 and support for generic soft5are applications7 upon re9uest from a local goAernment7 if the e8ecutiAe director finds that the re9uested serAices can e rendered 5ithin the esta lished terms of the federally approAed cost allocation plan> ; < )romulgate administratiAe regulations in accordance 5ith 'RS Chapter 13A necessary for the implementation of 'RS 42!42- to 42!4427 40!2037 141!42-7 186A!-4-7 186A!2807 and 1/4A!146> ;c< Solicit7 receiAe7 and consider proposals from any state agency7 federal agency7 local goAernment7 uniAersity7 nonprofit organi@ation7 priAate person7 or corporation>
)age 16 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

;d<

Solicit and accept money

y grant7 gift7 donation7

e9uest7 legislatiAe

appropriation7 or other conAeyance to e held7 used7 and applied in accordance 5ith 'RS 42!42- to 42!4427 40!2037 141!42-7 186A!-4-7 186A!2807 and 1/4A!146> ;e< Da2e and enter into memoranda of agreement and contracts necessary or incidental to the performance of duties and e8ecution of its po5ers7 including7 ut not limited to7 agreements or contracts 5ith the Enited States7 other state agencies7 and any goAernmental su diAision of the Common5ealth> ;f< Accept grants from the Enited States goAernment and its agencies and instrumentalities7 and from any source7 other than any person7 firm7 or corporation7 or any director7 officer7 or agent thereof that manufactures or sells information resources technology e9uipment7 goods7 or serAices! To these ends7 the Common5ealth $ffice of Technology shall haAe the po5er to comply 5ith those conditions and e8ecute those agreements that are necessary7 conAenient7 or desira le> and ;g< )urchase interest in contractual serAices7 rentals of all types7 supplies7 materials7 e9uipment7 and other serAices to e used in the research and

deAelopment of eneficial applications of information resources technologies! CompetitiAe ids may not e re9uired for, 1! Ne5 and emerging technologies as approAed y the e8ecutiAe director or her or his designee> or 2! Related professional7 technical7 or scientific serAices7 ut contracts shall e su mitted in accordance 5ith 'RS 40A!6/- to 40A!420! ;3< Nothing in this section shall e construed to alter or diminish the proAisions of 'RS 141!41- to 141!44- or the authority conAeyed y these statutes to the ArchiAes and Records Commission and the *epartment for +i raries and ArchiAes! (4) "he Commonwealth -ffice of "echnolo!y shall' on or before -ctober 1 of each
)age 14 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

year' submit to the 6e!islati$e .esearch Commission a re(ort in accordance with K.S 8/+0?= detailin!: (a) Any security breaches that occurred within or!ani*ational units of the e#ecuti$e branch of state !o$ernment durin! the (rior fiscal year that re;uired notification to the Commonwealth -ffice of "echnolo!y under Section , of this Act% (b) Actions taken to resol$e the security breach' and to (re$ent additional security breaches in the future% (c) A !eneral descri(tion of what actions are taken as a matter of course to (rotect (ersonal data from security breaches% and (d) Any ;uantifiable financial im(act to the a!ency re(ortin! a security breach+ Section 4! 'RS 42!432 is amended to read as follo5s, ;1< There is here y created the 'entuc2y #nformation Technology AdAisory Council to, ;a< AdAise the e8ecutiAe director of the Common5ealth $ffice of Technology on approaches to coordinating information technology solutions among li raries7 pu lic schools7 local goAernments7 uniAersities7 and other pu lic entities> 6and: ; < Ad$ise the e#ecuti$e director of the Commonwealth -ffice of "echnolo!y on coordination amon! and across the or!ani*ational units of the e#ecuti$e branch of state !o$ernment to (re(are for' res(ond to' and (re$ent attacks% and (c) )roAide a forum for the discussion of emerging technologies that enhance electronic accessi ility to Aarious pu licly funded sources of information and serAices! ;2< The 'entuc2y #nformation Technology AdAisory Council shall consist of, ;a< ; < The state udget director or a designee> The state li rarian or a designee>
)age 18 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

;c<

$ne ;1< representatiAe from the pu lic uniAersities to e appointed y the ?oAernor from a list of three ;3< persons su mitted )ostsecondary "ducation> y the Council on

;d<

Three ;3< citi@en mem ers from the priAate sector 5ith information technology 2no5ledge and e8perience appointed y the ?oAernor>

;e< ;f<

T5o ;2< representatiAes of local goAernment appointed y the ?oAernor> $ne ;1< representatiAe from the area deAelopment districts appointed y the ?oAernor from a list of names su mitted y the e8ecutiAe directors of the area deAelopment districts>

;g< ;h< ;i< ;B<

$ne ;1< mem er of the media appointed y the ?oAernor> The e8ecutiAe director of the 'entuc2y Authority for "ducational TeleAision> The chair of the )u lic SerAice Commission or a designee> T5o ;2< mem ers of the 'entuc2y ?eneral Assem ly7 one ;1< from each cham er7 selected y the +egislatiAe Research Commission>

;2< ;l<

$ne ;1< representatiAe of the AdministratiAe $ffice of the Courts> $ne ;1< representatiAe from the pu lic schools system appointed ?oAernor> y the

;m< $ne ;1< representatiAe of the 'entuc2y Cham er of Commerce> and ;n< ;3< The e8ecutiAe director of the Common5ealth $ffice of Technology!

Appointed mem ers of the council shall serAe for a term of t5o ;2< years! Dem ers 5ho serAe y Airtue of an office shall serAe on the council 5hile they hold the office!

;4<

Facancies on the council shall

e filled in the same manner as the original

appointments! #f a nominating organi@ation changes its name7 its successor organi@ation haAing the same responsi ilities and purposes shall e the nominating organi@ation! ;0< Dem ers shall receiAe no compensation ut shall receiAe reim ursement for actual and necessary e8penses in accordance 5ith traAel and su sistence re9uirements
)age 1/ of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

esta lished y the &inance and Administration Ca inet! Section 8! 'RS 141!40- is amended to read as follo5s, ;1< The department shall esta lish, ;a< )rocedures for the compilation and su mission to the department of lists and schedules of pu lic records proposed for disposal> ; < )rocedures for the disposal or destruction of pu lic records authori@ed for disposal or destruction' includin! a((ro(riate (rocedures to (rotect a!ainst unauthori*ed access to or use of (ersonal information as defined by Section 1 of this Act> ;c< Standards and procedures for recording7 managing7 and preserAing pu lic records and for the reproduction of pu lic records microphotographic process> ;d< )rocedures for collection and distri ution y the central depository of all reports and pu lications7 e8cept the 'entuc2y ReAised Statutes editions7 issued y any department7 oard7 commission7 officer or other agency of the y photographic or

Common5ealth for general pu lic distri ution after 1uly 17 1/08! ;2< The department shall enforce the proAisions of 'RS 141!41- to 141!44appropriate rules and regulations! ;3< The department shall ma2e copies of such rules and regulations aAaila le to all officials affected y 'RS 141!41- to 141!44- su Bect to the proAisions of 'RS Chapter 13A! ;4< Such rules and regulations 5hen approAed y the department shall e inding on all state and local agencies7 su Bect to the proAisions of 'RS Chapter 13A! The department shall perform any acts deemed necessary7 legal and proper to carry out the duties and responsi ilities imposed upon it pursuant to the authority granted herein! Section /! 'RS 141!68- is amended to read as follo5s,
)age 2- of 21
BR-862--!1-- . 862 . 16/0 1ac2eted

UNOFFICIAL COPY AS OF 01/21/14

14 REG. SESS.

14 RS BR 862

;1<

The head of each state and local agency shall esta lish and maintain an actiAe7 continuing program for the economical and efficient management of the records of the agency!

;2<

Such program shall proAide for, ;a< "ffectiAe controls oAer the creation7 maintenance7 and use of records in the conduct of current usiness> ; < Cooperation 5ith the department in applying standards7 procedures7 and techni9ues designed to improAe the management of records> ;c< )romotion of the maintenance and security of records deemed appropriate for preserAation7 and facilitation of the segregation and disposal of records of temporary Aalue> ;d< Compliance 5ith the proAisions of 'RS 141!41- to 141!44- and the rules and regulations of the department: and (e) Com(liance with the (ro$isions of Sections 1 to 4 of this Act!

)age 21 of 21
BR-862--!1-- . 862 . 16/0 1ac2eted