HB 5/LM (BR 862) - De. Butler, S. Santoro, J. Adams, R. Adkins, J. Bell, R. Benvenuti III, K. Bratcher, R. Bunch, T. Burch, Dw. Butler, J. Carney, L. Clark, H. Collins, L. Combs, T. Couch, W. Coursey, J. Crenshaw, R. Crimm, R. Damron, J. DeCesare, M. Denham, J. Donohue, M. Dossett, C. Embry Jr., J. Fischer, K. Flood, J. Glenn, D. Graham, J. Greer, K. Hall, M. Harmon, R. Heath, T. Herald, D. Horlander, K. Imes, J. Jenkins, J. Kay, D. Keene, K. King, M. King, A. Koenig, S. Lee, Ji. Lee, B. Linder, M. Marzian, D. Mayfield, T. McKee, D. Meade, R. Meeks, M. Meredith, S. Miles, C. Miller, T. Mills, B. Montell, T. Moore, D. Osborne, S. Overly, R. Palumbo, R. Quarles, M. Rader, J. Richards, S. Riggs, T. Riner, B. Rowland, A. Simpson, K. Sinnette, D. St. Onge, F. Steele, J. Stewart III, G. Stumbo, T. Thompson, J. Tilley, T. Turner, K. Upchurch, G. Watkins, J. Wayne, R. Webber, S. Westrom, A. Wuchner, B. Yonts, J. York
AN ACT relating to the safety and security of personal information held by public agencies.
Create a new section of KRS Chapter 61 to define certain terms; create a new section of KRS Chapter 61 to require public agencies and nonaffiliated third parties to implement, maintain, and update security procedures and practices, including taking any appropriate corrective action to safeguard against security breaches; establish reasonable security and breach investigation procedures; include security and breach investigation procedures in contracts with nonaffiliated third parties; create a new section of KRS Chapter 61 to require public agencies that maintain personal information to notify persons impacted by security breaches; notify specified officials of security breaches; specify how to provide notice of security breaches to impacted individuals; create a new section of KRS Chapter 61 to require the Department for Libraries and Archives to establish procedures for the disposal and destruction of records that include personal information and require the legislative and judicial branches to follow Sections 1 to 4 of this Act; amend KRS 42.722 to define certain terms; amend KRS 42.726 to require the Commonwealth Office of Technology to develop a security framework relating to privacy and confidentiality of personal information and submit an annual report to the Legislative Research Commission regarding security breaches; amend KRS 42.732 to require the Commonwealth Office of Technology to receive specified advice on preventing security attacks; amend KRS 171.450 to require the Department for Libraries and Archives to establish procedures to protect against unauthorized access to personal information; amend KRS 171.680 to require public agencies to comply with the provisions of Sections 1 to 4 of this Act.
HB 5 - AMENDMENTS
HCS/LM - Retain original provisions, except: require the Department for Local Government to consult with public entities in development of security and breach investigation procedures for local governments; require the Commonwealth Office of Technology to make available technical assistance for the establishment of security and breach investigation procedures upon request of an agency; require agencies to notify appropriate entities when investigation reveals misuse of personal information has not occurred; declare that provisions of the Act do not impact the Open Records Act; make the Act effective January 1, 2015.
SCS - Retain original provisions, except: make technical corrections; define "individually identifiable health information"; define "nonaffiliated third party" to include persons who have a contract or agreement with an agency and receive personal information under that contract or agreement, but are not necessarily providing services or resources; define "security breach" to include nonaffiliated third parties and consider likelihood of harm to individuals; make Kentucky Board of Education agency responsible for implementing security and breach investigation procedures for public school districts; delete language requiring notification of additional requirements beyond those required under this bill; allow nonaffiliated third parties and agencies 72 hours for security breach notification instead of 24 hours; prohibit private right of action; effective January 1, 2015.
Jan 9-introduced in House
Jan 13-to State Government (H)
Jan 21-posted in committee
Jan 23-reported favorably, 1st reading, to Consent Calendar with Committee Substitute
Jan 24-2nd reading, to Rules
Jan 28-taken from Rules (H); placed in the Consent Orders of the Day for Thursday, January 30, 2014
Jan 30-3rd reading, passed 100-0 with Committee Substitute
Jan 31-received in Senate
Feb 4-to State & Local Government (S)
Mar 18-reported favorably, 1st reading, to Consent Calendar with Committee Substitute
Mar 19-2nd reading, to Rules
Mar 20-posted for passage in the Consent Orders of the Day for Friday, March 21, 2014
Mar 21-3rd reading, passed 38-0 with Committee Substitute
Mar 24-received in House; to Rules (H)
Mar 27-taken from Rules; posted for passage for concurrence in Senate Committee Substitute
Mar 28-House concurred in Senate Committee Substitute ; passed 97-0
Mar 31-enrolled, signed by each presiding officer; delivered to Governor
Apr 10-signed by Governor (Acts, ch. 74)