Section 304.3-750 - Definitions for KRS 304.3-750 to 304.3-768As used in KRS 304.3-750 to 304.3-768:
(1) "Consumer" means an individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, and certificate holder:(a) Who is a resident of this Commonwealth; and(b) Whose nonpublic information is in a licensee's possession, custody, or control;(2) "Cybersecurity event":(a) Means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system; and(b) Shall not include: 1. Unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or2. An event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person:a. Has not been used or released; andb. Has been returned or destroyed;(3) "Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key;(4) "Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information;(5) "Information system": (a) Means a discrete set of electronic nonpublic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information; and(b) Shall include any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems;(6) "Licensee":(a) Means any person who is, or is required to be, licensed, authorized to operate, or registered pursuant to the insurance laws of this state; and(b) Shall not include: 1. A purchasing group or a risk retention group chartered and licensed in a state other than this state; or2. A licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction;(7) "Nonpublic information":(a) Means electronic information that is not publicly available information; and(b) Shall include: 1. Business-related information of a licensee that if tampered with, or disclosed, accessed, or used without authorization, would cause a material adverse impact to the business, operations, or security of the licensee;2. Any confidential personal identifying information of a consumer, including: a. Social Security number;b. Operator's license number or personal identification card number;c. Financial account number;d. Credit or debit card number;e. Any security code, access code, or password that would permit access to a consumer's financial account; orf. Biometric records; and3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that relates to:a. The past, present, or future physical, mental, or behavioral health or condition of any consumer or member of the consumer's family;b. The provision of health care to any consumer; orc. Payment for the provision of health care to any consumer;(8) "Person" means any individual or nongovernmental entity, including but not limited to any nongovernmental partnership, corporation, branch, agency, or association;(9)(a) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:1. Federal, state, or local government records;2. Widely distributed media; or3. Disclosures to the general public that are required to be made by federal, state, or local law.(b) For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:1. That the information is of the type that is available to the general public; and2. Whether the consumer can direct that information not be made available to the general public, and if so, that the consumer has not done so; and(10) "Third-party service provider" means a person, other than a licensee, that:(a) Contracts with a licensee to maintain, process, or store nonpublic information; or(b) Is otherwise permitted access to nonpublic information through its provision of services to a licensee.Added by 2022 Ky. Acts ch. 149,§ 1, eff. 1/1/2023.