This is an Advertisement

Summary of HB 5: Data Security Requirements for Governmental Agencies and Nonaffiliated Third Parties

Summary of HB 5: Data Security Requirements for Governmental Agencies and Nonaffiliated Third Parties

HB 5 enacts data security requirements for governmental agencies such as counties, cities, boards, commissions, public school districts and public institutions of postsecondary education, including public universities in Kentucky and KCTCS.  HB 5 also imposes data security requirements upon persons or businesses contracting with governmental agencies called “nonaffiliated third parties.” The new law is effective January 1, 2015.  For the full text of HB 5, please click here and select "SCS."

The following are some highlights:

  • A governmental agency or nonaffiliated third party that maintains or possesses personal information is required to have reasonable security procedures and practices to protect and safeguard against security breaches in place by January 1, 2015.
  • Reasonable Security and Breach Investigation Procedures and Practices shall be:

    • in writing; and
    • in accordance with policies or regulations established by the relevant state office.  For example, the Council on Postsecondary Education shall establish policies for the procedures and practices to be established and implemented for every public institution of postsecondary education.
  • Agreements executed or amended on or after January 1, 2015 between an agency and a nonaffiliated third party that involve the disclosure of personal information to the nonaffiliated third party shall:

    • require that the nonaffiliated third party implement, maintain and update a certain level of security and breach investigation procedures; and
    • specify how the cost of any required notification and investigation are to be apportioned.
  • Personal information means generally a person’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:

    • account number, credit card number or debit card number that in combination with any required security code, access code or password would permit access to an account;
    • social security number;
    • taxpayer ID number that incorporates a social security number;
    • driver’s license number, state ID card number or other individual ID number issued by an agency;
    • passport number or other ID number issued by the United States government; or
    • individually identifiable health information, except for education records covered by FERPA.
  • Security Breach is defined as either:

    • unauthorized acquisition, distribution, disclosure, destruction, manipulation, release of unencrypted or unredacted records or data that compromises (or the agency or nonaffiliated third party reasonably believes may compromise) the security, confidentiality or integrity of personal information and results in the likelihood of harm to one or more individuals; or
    • unauthorized acquisition, distribution, disclosure, destruction, manipulation or release of encrypted records or data containing personal information along with confidential process or key to unencrypt the records or data that compromises (or the agency or nonaffiliated third party reasonably believes may compromise) the security, confidentiality or integrity of personal information and results in the likelihood of harm to one or more individuals.
  • Governmental Notification Upon Awareness of Breach:

    • If a nonaffiliated third party becomes aware of a breach, it has only a short period of time (72 hours) to notify the governmental agency of the breach unless the timing of the notification would impede a criminal investigation or jeopardize homeland security.
    • Similarly, if a governmental agency determines or is notified of a breach, then it must notify the following within 72 hours:

      • the Commissioner of the Kentucky State Police;
      • the Auditor of Public Accounts; and
      • the Attorney General.
      Other specific governmental units are to be notified depending on which type of agency incurred the breach.
  • Investigation Required:

    • After the initial governmental notifications are given, the agency is required to begin conducting a reasonable and prompt investigation in accordance with the security and breach investigation procedures to determine whether the security breach has resulted in or is likely to result in the misuse of personal information.
  • Post Investigation Notification Required:

    • Once the investigation has been concluded and it has been determined that a security breach has occurred and/or misuse of personal information has occurred or is reasonably likely to occur, the agency shall:

      • within 48 hours of completion of the investigation notify the same governmental officials originally notified and the Commissioner of the Department for Libraries and Archives unless a law enforcement agency provides a written request to the agency to not send the notice;
      • within 35 days of sending the notice above, notify the individuals impacted by the security breach, unless a law enforcement agency provides a written request to the agency to not send the notice or the agency has determined that measures necessary to restore the integrity of the data system cannot be implemented in that timeframe; and
      • if more than 1,000 individuals are to be notified, notify certain governmental entities and consumer credit reporting agencies at least 7 days prior to providing the notice to the individuals.
    • The statute sets forth the required notification procedures.
    • If the agency determines the misuse of personal information has not occurred and is not likely to occur, the agency is not required to give notice but shall:

      • maintain records that reflect the basis of the decision; and
      • notify the agencies originally notified that a misuse of personal information has not occurred.
  • The Attorney General may bring an action for injunctive relief or, in the case of nonaffiliated third parties, other legal remedies, to enforce the statute.

A few points to consider:

 

  • If you are doing business with Kentucky governmental agencies and handling personal information, you are required to have reasonable security and breach investigation procedures and practices in place by January 1, 2015.
  • Any new agreements or amendments to agreements with a government agency executed after January 1, 2015 must include a provision allocating certain costs.
  • If the personal information is encrypted and the key is not disclosed along with the information, then it is not considered a “security breach” under the Kentucky statutory definition and is not reportable. Although the law does not mandate encryption, encryption when the data is stored and during transmission can save a lot of headaches as far as notification goes.
  • Please note the Attorney General’s enforcement authority is not limited to situations involving breaches. Theoretically, the Attorney General could bring an enforcement action against a nonaffiliated third party for not having in place either a proper written agreement or reasonable security and breach investigation procedures and practices.
  • Please be aware that the investigations and notices may be quite costly. Nonaffiliated third parties with cyber liability insurance coverage should check with their carrier to ensure the coverage covers breaches as defined by Kentucky law as well as the cost of any investigation and notices the nonaffiliated third party may agree to pay for under any agreement.
  • The definition of security breach covers not only data but also records. What is your document retention plan? Where are files maintained? Who has access to files and do they have a need for access?