Can I avoid having a data breach response plan in Kentucky? What are the requirements?

Based on the documents provided, it is not possible to avoid having a data breach response plan in Kentucky if you are a state agency or nonaffiliated third party that maintains or otherwise possesses personal information on behalf of another agency.

The Kentucky Revised Statutes (KRS) 61.933 specifically authorizes the Commonwealth Office of Technology (COT) to promulgate administrative regulations prescribing the notification form to be used by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information has occurred with respect to personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency. ^[2.1][2.2]

Therefore, if you are a state agency or nonaffiliated third party that maintains or otherwise possesses personal information on behalf of another agency, you are required to have a data breach response plan in Kentucky.

The specific requirements for the data breach response plan are outlined in the administrative regulations promulgated by the COT. ^[2.1][2.2]

Source(s):

• [2.1] Data breach notification forms. [Current]
• [2.2] Data breach notification forms. [Proposed]

Jurisdiction

Kentucky

• Privacy