Statutes, codes, and regulations
Kentucky Administrative Regulations
Title 200 - FINANCE AND ADMINISTRATION CABINET
Chapter 1 - General Administration
Section 200 KAR 1:016 - Data breach notification forms

200 Ky. Admin. Regs. 1:016

Download
PDF
Current through Register Vol. 51, No. 5, November 1, 2024
Section 200 KAR 1:016 - Data breach notification forms

RELATES TO: KRS 61.931, 61.932, 61.933

NECESSITY, FUNCTION, AND CONFORMITY: KRS 42.726(3)(b) authorizes the Finance and Administration Cabinet, Commonwealth Office of Technology (COT) to promulgate administrative regulations relating to COT's duties. KRS 61.933 specifically authorizes COT to promulgate administrative regulations prescribing the notification form to be used by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information has occurred with respect to personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency. KRS 61.932(2)(b) 2. specifically authorizes COT to promulgate administrative regulations prescribing the form to be used if a law enforcement agency has requested a delay in notification of a security breach to allow for investigation of the breach. This administrative regulation establishes the data breach notification forms.

Section 1. Administrative - Required Forms.
(1) Finance Form FAC-001, Suspected and Determined Breach Notification Form, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party to provide written notification of a suspected or determined security breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party.
(2) Finance Form FAC-002, Delay Notification Record, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party if the notification of a suspected or determined breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party has been delayed pursuant to a request from a law enforcement agency or with the approval of the Office of the Attorney General. All documentation related to the delay shall be attached to the form.
Section 2. Incorporation by Reference.
(1) The following material is incorporated by reference:
(a) "Finance Form FAC-001, Suspected and Determined Breach Notification Form", September 13, 2022; and
(b) "Finance Form FAC-002, Delay Notification Record", September 13, 2022.
(2) This material may be inspected, copied, or obtained, subject to applicable copyright law, at the Commonwealth Office of Technology, 101 Cold Harbor Drive, Frankfort, Kentucky 40601, Monday through Friday, 8 a.m. to 5 p.m., and on the Finance and Administration Cabinet's Web site, https://finance.ky.gov/office-of-the-secretary/Pages/finance-forms.aspx.

200 KAR 1:016

49 Ky.R. 190, 758; eff. 1/3/2023.

STATUTORY AUTHORITY: KRS 42.726(3)(b), 61.932(2)(b) 2., 61.933