Can I skip having an information security program in place in Kentucky? What are the requirements?

Information Security Program Requirements in Kentucky

In Kentucky, businesses are required to have an information security program in place to protect sensitive information. The requirements for such a program are outlined in the Kentucky Revised Statutes (KRS) Chapter 365.732.

According to KRS 365.732, businesses must implement and maintain “reasonable security procedures and practices” to protect sensitive information. This includes:

• Designating one or more employees to coordinate the security program
• Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of sensitive information
• Developing and implementing safeguards to control the identified risks
• Regularly monitoring and testing the effectiveness of the safeguards
• Evaluating and adjusting the security program in light of relevant circumstances, including changes in the business or operations, or the results of security testing and monitoring

Therefore, it is not advisable to skip having an information security program in place in Kentucky. Failure to comply with these requirements may result in legal consequences.

^[2.1] provides information on accommodations, modification, and appeals for beneficiaries participating in the Kentucky HEALTH Program, which is not relevant to the query.

Source(s):

• [2.1] Accommodations, modification, and appeals for beneficiaries participating in the Kentucky HEALTH Program [Inactive]

Jurisdiction

Kentucky

• Privacy