FINANCE AND ADMINISTRATION CABINET

Commonwealth Office of Technology

(New Administrative Regulation)

 

††††† 200 KAR 1:015. Data Breach Notification Forms.

 

††††† RELATES TO: KRS 61.932, 61.933

††††† STATUTORY AUTHORITY: KRS 42.726(2)(b), 61.932, 61.933

††††† NECESSITY, FUNCTION, AND CONFORMITY: KRS 42.726(2)(b) authorizes the Finance and Administration Cabinet, Commonwealth Office of Technology ("COT") to promulgate administrative regulations relating to COTís duties. KRS 61.933 specifically authorizes COT to prescribe forms necessary for notification by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency has occurred. KRS 61.932 specifically authorizes COT to prescribe forms when law enforcement agencies have requested a delay of notification to allow for investigation of the suspected or determined breach. This administrative regulation establishes the required forms for notification of a suspected or determined breach of personal information or a request to delay notification by law enforcement.

 

††††† Section 1. Administrative - Required Forms. (1) Finance Form FAC-001, Suspected and Determined Breach Notification Form, shall be completed by a state agency or nonaffiliated third party to notify the agency for whom it maintains or otherwise possesses personal information regarding a suspected or determined breach in data.

††††† (2) Finance Form FAC-002, Delay Notification Record, shall be completed by a state agency or nonaffiliated third party when a law enforcement agency has requested a delay of notification to allow for investigation of the suspected or determined breach.

 

††††† Section 2. Incorporation by Reference. (1) The following material is incorporated by reference:

††††† (a) Finance Form FAC-001, "Suspected and Determined Breach Notification Form," August, 2014; and

††††† (b) Finance Form FAC-002, "Delay Notification Record," August, 2014.

††††† (2) This material may be inspected, copied, or obtained, subject to applicable copyright law, at the Commonwealth Office of Technology, 101 Cold Harbor Drive, Frankfort, Kentucky 40601 Monday through Friday, 8 a.m. to 5 p.m., and on the Finance and Administration Cabinet Web site, http://finance.ky.gov/Pages/default.aspx.

 

STEVE RUCKER, Deputy Secretary

††††† APPROVED BY AGENCY: August 14, 2014

††††† FILED WITH LRC: August 14, 2014 at 10 a.m.

††††† PUBLIC HEARING AND PUBLIC COMMENT PERIOD: A public hearing on this administrative regulation shall be held on September 23, 2014 from 10:00a.m. to 12:00p.m., in Room 381, Capitol Annex Building, Frankfort, Kentucky 40601. Individuals interested in being heard at this hearing shall notify this agency in writing by five (5) workdays prior to the hearing, of their intent to attend. If no notification of intent to attend the hearing is received by that date, the hearing may be cancelled. This hearing is open to the public. Any person who wishes to be heard will be given an opportunity to comment on the proposed administrative regulation. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted until September 30, 2014. Send written notification of intent to be heard at the public hearing or written comments on the proposed amended administrative regulation to the contact person.

††††† CONTACT PERSON: Doug Hendrix, Deputy General Counsel, Finance and Administration Cabinet, 702 Capitol Avenue, Frankfort, Kentucky 40601, phone (502) 564-6660, fax (502) 564-9875.

 

REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT

 

Contact Person: Doug Hendrix

††††† (1) Provide a brief summary of:

††††† (a) What this administrative regulation does: KRS 42.726(2)(b) authorizes the Finance and Administration Cabinet, Commonwealth Office of Technology ("COT"), to promulgate regulations relating to COTís duties. KRS 61.933 specifically authorizes COT to prescribe forms necessary for notification by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency has occurred. KRS 61.932 specifically authorizes COT to prescribe forms necessary and when law enforcement agencies have requested a delay on notification to allow for investigation of the suspected or determined breach. This regulation prescribes those forms.

††††† (b) The necessity of this administrative regulation: This administrative regulation is necessary in order for COT to meet the requirements of KRS Chapter 13A.110 which requires that forms required to be submitted by a regulated entity shall be included in an administrative regulation, as well as the specific directives of KRS 61.932 and KRS 61.933.

††††† (c) How this administrative regulation conforms to the content of the authorizing statutes: KRS 61.932 and KRS 61.933 specifically direct COT to prescribe these forms.

††††† (d) How this administrative regulation currently assists or will assist in the effective administration of the statutes: The forms prescribed herein will provide necessary notice to agencies, law enforcement, the Auditor of Public Accounts and the Attorney General as required by House Bill 5 of the 2014 Regular Session of the General Assembly.

††††† (2) If this is an amendment to an existing administrative regulation, provide a brief summary of:

††††† (a) How the amendment will change this existing administrative regulation: N/A

††††† (b) The necessity of the amendment to this administrative regulation: N/A

††††† (c) How the amendment conforms to the content of the authorizing statutes: N/A

††††† (d) How the amendment will assist in the effective administration of the statutes: N/A

††††† (3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation: All state agencies or private entities (identified as nonaffiliated third parties) which maintain or otherwise possess personal information for state agencies.

††††† (4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:

††††† (a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment: Affected entities must complete the necessary forms when they suspect or determine that a breach of personal information has occurred.

††††† (b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3): There will be a minimal cost to complete the forms.

††††† (c) As a result of compliance, what benefits will accrue to the entities identified in question (3): Affected entities will comply with the requirements of KRS 61.931-934.

††††† (5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:

††††† (a) Initially: COT will not incur any initial costs as the result of this regulation.

††††† (b) On a continuing basis: COT will not incur any additional costs as the result of this regulation.

††††† (6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation: COT agency funds.

††††† (7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment: This administrative regulation does not require an increase in fees or funding.

††††† (8) State whether or not this administrative regulation established any fees or directly or indirectly increased any fees: This administrative regulation does not establish or increase any fees either directly or indirectly.

††††† (9) TIERING: Is tiering applied? Tiering was not applied to this regulation because all entities which possess personal information, whether public or private, will be treated similarly under the proposed regulation and forms.

 

FISCAL NOTE ON STATE OR LOCAL GOVERNMENT

 

††††† (1) What units, parts, or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation? No local government entities will be affected but COT and any state agency which suspects or experiences a breach of personal information.

††††† (2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation. KRS 42.726; KRS 61.932; KRS 61.933.

††††† (3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect. None.

††††† (a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year? None.

††††† (b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years? None.

††††† (c) How much will it cost to administer this program for the first year? No additional cost.

††††† (d) How much will it cost to administer this program for subsequent years? No additional costs.

††††† Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.

††††† Revenues (+/-):

††††† Expenditures (+/-):

††††† Other Explanation: