Back

North America > Kentucky State Legislature

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act



AD ID

0003948

AD STATUS

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

ORIGINATOR

Kentucky State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Kentucky Consumer Data Protection Act

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.

AD ID

0003948

AD STATUS

Free

ORIGINATOR

Kentucky State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Kentucky Consumer Data Protection Act

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
107 Mandated Controls - bold    
75 Implied Controls - italic     478 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
660 Total
  • Acquisition or sale of facilities, technology, and services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition/Sale of Assets or Services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Acquisition/Sale of Assets or Services Preventive
  • Audits and risk management
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]
    Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]
    Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Establish/Maintain Documentation Preventive
  • Human Resources management
    30
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777 Establish Roles Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]
    Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Establish, implement, and maintain a legal support program. CC ID 13710
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Establish/Maintain Documentation Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Audits and Risk Management Detective
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources Management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Communicate Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Behavior Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Behavior Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Behavior Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Behavior Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources Management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources Management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Behavior Preventive
  • Leadership and high level objectives
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]
    Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Communicate Preventive
  • Monitoring and measurement
    71
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Log Management Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Audits and Risk Management Preventive
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Establish/Maintain Documentation Preventive
    Implement a fraud detection system. CC ID 13081
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)
    {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
  • Operational management
    186
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Business Processes Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Establish/Maintain Documentation Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Communicate Preventive
    Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 Human Resources Management Preventive
    Define the uses and capabilities of the Incident Management program. CC ID 00854 Establish/Maintain Documentation Preventive
    Include incident escalation procedures in the Incident Management program. CC ID 00856 Establish/Maintain Documentation Preventive
    Define the characteristics of the Incident Management program. CC ID 00855 Establish/Maintain Documentation Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Establish/Maintain Documentation Preventive
    Include the criteria for an incident in the Incident Management program. CC ID 12173 Establish/Maintain Documentation Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Establish/Maintain Documentation Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Establish/Maintain Documentation Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Business Processes Detective
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208 Technical Security Preventive
    Define and document the criteria to be used in categorizing incidents. CC ID 10033 Establish/Maintain Documentation Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Process or Activity Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Process or Activity Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Process or Activity Detective
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Monitor and Evaluate Occurrences Corrective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Monitor and Evaluate Occurrences Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Monitor and Evaluate Occurrences Detective
    Identify root causes of incidents that force system changes. CC ID 13482 Investigate Detective
    Respond to and triage when an incident is detected. CC ID 06942 Monitor and Evaluate Occurrences Detective
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Establish/Maintain Documentation Detective
    Escalate incidents, as necessary. CC ID 14861 Monitor and Evaluate Occurrences Corrective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Behavior Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Process or Activity Corrective
    Contain the incident to prevent further loss. CC ID 01751 Process or Activity Corrective
    Wipe data and memory after an incident has been detected. CC ID 16850 Technical Security Corrective
    Refrain from accessing compromised systems. CC ID 01752 Technical Security Corrective
    Isolate compromised systems from the network. CC ID 01753 Technical Security Corrective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Log Management Corrective
    Change authenticators after a security incident has been detected. CC ID 06789 Technical Security Corrective
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Investigate Detective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Establish/Maintain Documentation Preventive
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Establish/Maintain Documentation Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Establish/Maintain Documentation Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Establish/Maintain Documentation Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Establish/Maintain Documentation Detective
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Establish/Maintain Documentation Detective
    Assess all incidents to determine what information was accessed. CC ID 01226 Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Analyze the incident response process following an incident response. CC ID 13179 Investigate Detective
    Share incident information with interested personnel and affected parties. CC ID 01212 Data and Information Management Corrective
    Share data loss event information with the media. CC ID 01759 Behavior Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Data and Information Management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Establish/Maintain Documentation Corrective
    Redact restricted data before sharing incident information. CC ID 16994 Data and Information Management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Communicate Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Communicate Preventive
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Establish/Maintain Documentation Preventive
    Report data loss event information to breach notification organizations. CC ID 01210 Data and Information Management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Log Management Detective
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Communicate Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Communicate Preventive
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Behavior Corrective
    Remediate security violations according to organizational standards. CC ID 12338 Business Processes Preventive
    Include data loss event notifications in the Incident Response program. CC ID 00364 Establish/Maintain Documentation Preventive
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Behavior Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Behavior Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Behavior Corrective
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Establish/Maintain Documentation Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Communicate Preventive
    Revoke the written request to delay the notification. CC ID 16843 Process or Activity Preventive
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Establish/Maintain Documentation Preventive
    Avoid false positive incident response notifications. CC ID 04732 Behavior Detective
    Establish, implement, and maintain incident response notifications. CC ID 12975 Establish/Maintain Documentation Corrective
    Refrain from charging for providing incident response notifications. CC ID 13876 Business Processes Preventive
    Include information required by law in incident response notifications. CC ID 00802 Establish/Maintain Documentation Detective
    Title breach notifications "Notice of Data Breach". CC ID 12977 Establish/Maintain Documentation Preventive
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Establish/Maintain Documentation Preventive
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Establish/Maintain Documentation Preventive
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Establish/Maintain Documentation Preventive
    Use plain language to write incident response notifications. CC ID 12976 Establish/Maintain Documentation Preventive
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Establish/Maintain Documentation Preventive
    Refrain from including restricted information in the incident response notification. CC ID 16806 Actionable Reports or Measurements Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Establish/Maintain Documentation Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Establish/Maintain Documentation Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Establish/Maintain Documentation Preventive
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Establish/Maintain Documentation Preventive
    Include time information in incident response notifications. CC ID 04745 Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Establish/Maintain Documentation Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Establish/Maintain Documentation Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735 Establish/Maintain Documentation Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Establish/Maintain Documentation Preventive
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Establish/Maintain Documentation Preventive
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Establish/Maintain Documentation Preventive
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Establish/Maintain Documentation Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Establish/Maintain Documentation Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Establish/Maintain Documentation Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Establish/Maintain Documentation Preventive
    Include any consequences in the incident response notifications. CC ID 12604 Establish/Maintain Documentation Preventive
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Establish/Maintain Documentation Preventive
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Establish/Maintain Documentation Preventive
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Establish/Maintain Documentation Detective
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Communicate Corrective
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Business Processes Corrective
    Include contact information in incident response notifications. CC ID 04739 Establish/Maintain Documentation Preventive
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Communicate Preventive
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Behavior Corrective
    Post the incident response notification on the organization's website. CC ID 16809 Process or Activity Preventive
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Behavior Corrective
    Document the determination for providing a substitute incident response notification. CC ID 16841 Process or Activity Preventive
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Behavior Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Behavior Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Behavior Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Establish/Maintain Documentation Preventive
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Establish/Maintain Documentation Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Behavior Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Behavior Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Behavior Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Behavior Corrective
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Communicate Corrective
    Establish, implement, and maintain a containment strategy. CC ID 13480 Establish/Maintain Documentation Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Establish/Maintain Documentation Preventive
    Include response times in the containment strategy. CC ID 13485 Establish/Maintain Documentation Preventive
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Establish/Maintain Documentation Corrective
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Technical Security Corrective
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Business Processes Corrective
    Establish, implement, and maintain a restoration log. CC ID 12745 Establish/Maintain Documentation Preventive
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Data and Information Management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Data and Information Management Preventive
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Human Resources Management Corrective
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Establish/Maintain Documentation Preventive
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Monitor and Evaluate Occurrences Detective
    Re-image compromised systems with secure builds. CC ID 12086 Technical Security Corrective
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Monitor and Evaluate Occurrences Preventive
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Investigate Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233 Establish/Maintain Documentation Preventive
    Test incident monitoring procedures. CC ID 13194 Testing Detective
    Include incident response procedures in the Incident Management program. CC ID 01218 Establish/Maintain Documentation Preventive
    Integrate configuration management procedures into the incident management program. CC ID 13647 Technical Security Preventive
    Include incident management procedures in the Incident Management program. CC ID 12689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Establish/Maintain Documentation Preventive
    Include after-action analysis procedures in the Incident Management program. CC ID 01219 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Establish/Maintain Documentation Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Process or Activity Detective
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Investigate Detective
    Identify the affected parties during incident investigations. CC ID 16781 Investigate Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Investigate Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Investigate Detective
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Establish/Maintain Documentation Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Data and Information Management Preventive
    Establish, implement, and maintain incident management audit logs. CC ID 13514 Records Management Preventive
    Log incidents in the Incident Management audit log. CC ID 00857 Establish/Maintain Documentation Preventive
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Log Management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Log Management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Establish/Maintain Documentation Preventive
    Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 Log Management Corrective
    Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 Log Management Preventive
    Include emergency processing priorities in the Incident Management program. CC ID 00859 Establish/Maintain Documentation Preventive
    Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 Establish/Maintain Documentation Preventive
    Include incident record closure procedures in the Incident Management program. CC ID 01620 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Communicate Preventive
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Communicate Corrective
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Establish/Maintain Documentation Preventive
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
  • Privacy protection for information and data
    314
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]
    Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]
    Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]
    Establish/Maintain Documentation Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]
    Establish/Maintain Documentation Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Establish/Maintain Documentation Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]
    Establish/Maintain Documentation Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]
    Communicate Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Establish/Maintain Documentation Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Establish/Maintain Documentation Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]
    Process or Activity Detective
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]
    Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)
    If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Establish/Maintain Documentation Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Business Processes Preventive
    Disseminate private communications when required by law. CC ID 14335 Communicate Corrective
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Establish/Maintain Documentation Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Human Resources Management Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Data and Information Management Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e)
    {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]
    Business Processes Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Notify the supervisory authority. CC ID 00472 Behavior Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Process or Activity Preventive
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]
    Data and Information Management Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Establish/Maintain Documentation Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Establish/Maintain Documentation Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Establish/Maintain Documentation Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Establish/Maintain Documentation Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2)
    A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]
    Human Resources Management Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]
    Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]
    Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]
    Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Establish/Maintain Documentation Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Behavior Preventive
    Respond to data access requests in an official language. CC ID 17176 Communicate Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Behavior Preventive
    Refrain from processing restricted data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Data and Information Management Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550 Investigate Detective
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Business Processes Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Business Processes Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]
    Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for the purposes of employment. CC ID 16527 Data and Information Management Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]
    Data and Information Management Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]
    Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]
    Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Data and Information Management Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]
    Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Communicate Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Data and Information Management Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]
    Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Data and Information Management Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6)
    {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]
    Data and Information Management Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Data and Information Management Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a)
    {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]
    Human Resources Management Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]
    Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]
    Business Processes Corrective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Behavior Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3)
    A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)
    {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Establish/Maintain Documentation Preventive
    Define the fee structure for the appeal process. CC ID 16532 Process or Activity Preventive
    Define the time requirements for the appeal process. CC ID 16531 Process or Activity Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]
    Communicate Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Communicate Preventive
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Data and Information Management Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Establish/Maintain Documentation Preventive
    Check the accuracy of restricted data. CC ID 00088 Data and Information Management Preventive
    Record restricted data correctly. CC ID 00089 Testing Detective
    Check the data accuracy of new accounts. CC ID 04859 Data and Information Management Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Establish/Maintain Documentation Preventive
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Testing Detective
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Data and Information Management Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Data and Information Management Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Data and Information Management Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Data and Information Management Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Data and Information Management Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Data and Information Management Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Data and Information Management Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Data and Information Management Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Data and Information Management Detective
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Behavior Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Data and Information Management Detective
    Interview appropriate parties to validate consumer information. CC ID 16902 Process or Activity Preventive
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Business Processes Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Business Processes Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Process or Activity Preventive
  • Technical security
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Establish/Maintain Documentation Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Establish/Maintain Documentation Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Establish/Maintain Documentation Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Establish/Maintain Documentation Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Establish/Maintain Documentation Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004 Technical Security Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for restricted data. CC ID 01921
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Data and Information Management Preventive
  • Third Party and supply chain oversight
    16
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]
    Establish/Maintain Documentation Preventive
    Review and update all contracts, as necessary. CC ID 11612 Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Process or Activity Detective
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]
    Establish/Maintain Documentation Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138 Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Provide products or services per customer requests. CC ID 08893
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]
    Business Processes Preventive
Common Controls and
mandates by Type
107 Mandated Controls - bold    
75 Implied Controls - italic     478 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
660 Total
  • Acquisition/Sale of Assets or Services
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Preventive
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Preventive
    Refrain from providing products and services, as necessary. CC ID 15580
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Acquisition or sale of facilities, technology, and services Preventive
  • Actionable Reports or Measurements
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Preventive
  • Audits and Risk Management
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Preventive
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Detective
  • Behavior
    39
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Monitoring and measurement Corrective
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Preventive
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Preventive
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Operational management Corrective
    Share data loss event information with the media. CC ID 01759 Operational management Corrective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Corrective
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Corrective
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Operational management Detective
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Operational management Corrective
    Avoid false positive incident response notifications. CC ID 04732 Operational management Detective
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Operational management Corrective
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Operational management Corrective
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Operational management Corrective
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Operational management Corrective
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Operational management Preventive
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Operational management Preventive
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Operational management Corrective
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Operational management Preventive
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Operational management Corrective
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Preventive
    Respond to data access requests in a timely manner. CC ID 00421
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Preventive
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Preventive
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Detective
  • Business Processes
    43
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Preventive
    Implement a fraud detection system. CC ID 13081
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Detective
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Corrective
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Preventive
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Detective
    Remediate security violations according to organizational standards. CC ID 12338 Operational management Preventive
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Preventive
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Corrective
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Operational management Corrective
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e)
    {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]
    Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Preventive
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Preventive
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]
    Privacy protection for information and data Corrective
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Detective
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Preventive
    Provide products or services per customer requests. CC ID 08893
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]
    Third Party and supply chain oversight Preventive
  • Communicate
    33
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Leadership and high level objectives Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]
    Audits and risk management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Preventive
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Preventive
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Preventive
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Preventive
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Preventive
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Preventive
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Preventive
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Corrective
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Preventive
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Corrective
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Operational management Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Operational management Corrective
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]
    Privacy protection for information and data Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Privacy protection for information and data Preventive
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Corrective
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Corrective
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Corrective
    Capture personal data removal requests. CC ID 13507
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]
    Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]
    Privacy protection for information and data Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Preventive
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Preventive
  • Data and Information Management
    149
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce access restrictions for restricted data. CC ID 01921
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Technical security Preventive
    Share incident information with interested personnel and affected parties. CC ID 01212 Operational management Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Preventive
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Preventive
    Report data loss event information to breach notification organizations. CC ID 01210 Operational management Corrective
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Preventive
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Preventive
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]
    Privacy protection for information and data Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Privacy protection for information and data Preventive
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]
    Privacy protection for information and data Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]
    Privacy protection for information and data Preventive
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Preventive
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]
    Privacy protection for information and data Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Privacy protection for information and data Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Preventive
    Provide data at a cost that is not excessive. CC ID 00430
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Preventive
    Provide records or data in a reasonable manner. CC ID 00431
    [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]
    Privacy protection for information and data Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6)
    {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]
    Privacy protection for information and data Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a)
    {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]
    Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Preventive
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Preventive
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Preventive
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Preventive
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Preventive
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Preventive
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Preventive
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Preventive
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Preventive
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Preventive
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Preventive
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Detective
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Detective
  • Establish Roles
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Preventive
    Identify and define all critical roles. CC ID 00777 Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Operational management Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Process restricted data lawfully and carefully. CC ID 00086
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    259
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]
    Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Preventive
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Preventive
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Monitoring and measurement Preventive
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Preventive
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Preventive
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Technical security Preventive
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Preventive
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Preventive
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Preventive
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Preventive
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Establish, implement, and maintain a legal support program. CC ID 13710
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]
    Operational management Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Preventive
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Preventive
    Define the uses and capabilities of the Incident Management program. CC ID 00854 Operational management Preventive
    Include incident escalation procedures in the Incident Management program. CC ID 00856 Operational management Preventive
    Define the characteristics of the Incident Management program. CC ID 00855 Operational management Preventive
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Preventive
    Include the criteria for an incident in the Incident Management program. CC ID 12173 Operational management Preventive
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Preventive
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Preventive
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Preventive
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Preventive
    Define and document the criteria to be used in categorizing incidents. CC ID 10033 Operational management Preventive
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Operational management Detective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Preventive
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Preventive
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Preventive
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Operational management Detective
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Operational management Detective
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Corrective
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Preventive
    Include data loss event notifications in the Incident Response program. CC ID 00364 Operational management Preventive
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Operational management Preventive
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Preventive
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Operational management Preventive
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Corrective
    Include information required by law in incident response notifications. CC ID 00802 Operational management Detective
    Title breach notifications "Notice of Data Breach". CC ID 12977 Operational management Preventive
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Operational management Preventive
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Operational management Preventive
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Operational management Preventive
    Use plain language to write incident response notifications. CC ID 12976 Operational management Preventive
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Operational management Preventive
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Preventive
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Preventive
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Preventive
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Operational management Preventive
    Include time information in incident response notifications. CC ID 04745 Operational management Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735 Operational management Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Preventive
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Operational management Preventive
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Operational management Preventive
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Operational management Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Operational management Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Preventive
    Include any consequences in the incident response notifications. CC ID 12604 Operational management Preventive
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Operational management Preventive
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Operational management Preventive
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Operational management Detective
    Include contact information in incident response notifications. CC ID 04739 Operational management Preventive
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Preventive
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Operational management Preventive
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Preventive
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Preventive
    Include response times in the containment strategy. CC ID 13485 Operational management Preventive
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Operational management Corrective
    Establish, implement, and maintain a restoration log. CC ID 12745 Operational management Preventive
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Operational management Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233 Operational management Preventive
    Include incident response procedures in the Incident Management program. CC ID 01218 Operational management Preventive
    Include incident management procedures in the Incident Management program. CC ID 12689 Operational management Preventive
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 Operational management Corrective
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Preventive
    Include after-action analysis procedures in the Incident Management program. CC ID 01219 Operational management Preventive
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Preventive
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Preventive
    Log incidents in the Incident Management audit log. CC ID 00857 Operational management Preventive
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Preventive
    Include emergency processing priorities in the Incident Management program. CC ID 00859 Operational management Preventive
    Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 Operational management Preventive
    Include incident record closure procedures in the Incident Management program. CC ID 01620 Operational management Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Preventive
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]
    Privacy protection for information and data Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]
    Privacy protection for information and data Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]
    Privacy protection for information and data Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]
    Privacy protection for information and data Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]
    Privacy protection for information and data Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)
    If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]
    Privacy protection for information and data Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Privacy protection for information and data Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Privacy protection for information and data Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2)
    A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]
    Privacy protection for information and data Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]
    Privacy protection for information and data Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]
    Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]
    Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]
    Privacy protection for information and data Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3)
    A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)
    {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Preventive
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]
    Third Party and supply chain oversight Preventive
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Third Party and supply chain oversight Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]
    Third Party and supply chain oversight Preventive
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Third Party and supply chain oversight Detective
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Detective
  • Human Resources Management
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Preventive
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]
    Human Resources management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Human Resources management Preventive
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
    Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 Operational management Preventive
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Operational management Corrective
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]
    Privacy protection for information and data Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]
    Privacy protection for information and data Detective
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Corrective
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Detective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Detective
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Preventive
    Identify root causes of incidents that force system changes. CC ID 13482 Operational management Detective
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Operational management Detective
    Analyze the incident response process following an incident response. CC ID 13179 Operational management Detective
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Operational management Preventive
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Detective
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Detective
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Detective
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Detective
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Detective
  • Log Management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Detective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Operational management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Detective
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Preventive
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Preventive
    Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 Operational management Corrective
    Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 Operational management Preventive
  • Monitor and Evaluate Occurrences
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]
    Monitoring and measurement Detective
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Operational management Corrective
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Detective
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Detective
    Respond to and triage when an incident is detected. CC ID 06942 Operational management Detective
    Escalate incidents, as necessary. CC ID 14861 Operational management Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Corrective
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Operational management Detective
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Operational management Preventive
  • Process or Activity
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)
    {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Monitoring and measurement Corrective
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]
    Audits and risk management Preventive
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Detective
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Detective
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Operational management Corrective
    Contain the incident to prevent further loss. CC ID 01751 Operational management Corrective
    Revoke the written request to delay the notification. CC ID 16843 Operational management Preventive
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Preventive
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Preventive
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Detective
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]
    Privacy protection for information and data Detective
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Privacy protection for information and data Preventive
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Privacy protection for information and data Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Preventive
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Preventive
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Preventive
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Preventive
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Detective
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain incident management audit logs. CC ID 13514 Operational management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]
    Privacy protection for information and data Preventive
  • Systems Design, Build, and Implementation
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Preventive
  • Technical Security
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Control access rights to organizational assets. CC ID 00004 Technical security Preventive
    Categorize the incident following an incident response. CC ID 13208 Operational management Preventive
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Corrective
    Refrain from accessing compromised systems. CC ID 01752 Operational management Corrective
    Isolate compromised systems from the network. CC ID 01753 Operational management Corrective
    Change authenticators after a security incident has been detected. CC ID 06789 Operational management Corrective
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Operational management Corrective
    Re-image compromised systems with secure builds. CC ID 12086 Operational management Corrective
    Integrate configuration management procedures into the incident management program. CC ID 13647 Operational management Preventive
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Operational management Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Corrective
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Preventive
  • Testing
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a system security plan. CC ID 01922
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Preventive
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Detective
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Detective
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Detective
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Preventive
    Assess all incidents to determine what information was accessed. CC ID 01226 Operational management Corrective
    Test incident monitoring procedures. CC ID 13194 Operational management Detective
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Detective
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Detective
Common Controls and
mandates by Classification
107 Mandated Controls - bold    
75 Implied Controls - italic     478 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
660 Total
  • Corrective
    54
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Investigate
    Correct compliance violations. CC ID 13515
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)
    {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Monitoring and measurement Process or Activity
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Monitoring and measurement Behavior
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Business Processes
    Determine the incident severity level when assessing the security incidents. CC ID 01650 Operational management Monitor and Evaluate Occurrences
    Escalate incidents, as necessary. CC ID 14861 Operational management Monitor and Evaluate Occurrences
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Operational management Process or Activity
    Respond to all alerts from security systems in a timely manner. CC ID 06434 Operational management Behavior
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Operational management Process or Activity
    Contain the incident to prevent further loss. CC ID 01751 Operational management Process or Activity
    Wipe data and memory after an incident has been detected. CC ID 16850 Operational management Technical Security
    Refrain from accessing compromised systems. CC ID 01752 Operational management Technical Security
    Isolate compromised systems from the network. CC ID 01753 Operational management Technical Security
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 Operational management Log Management
    Change authenticators after a security incident has been detected. CC ID 06789 Operational management Technical Security
    Assess all incidents to determine what information was accessed. CC ID 01226 Operational management Testing
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Monitor and Evaluate Occurrences
    Share incident information with interested personnel and affected parties. CC ID 01212 Operational management Data and Information Management
    Share data loss event information with the media. CC ID 01759 Operational management Behavior
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Establish/Maintain Documentation
    Report data loss event information to breach notification organizations. CC ID 01210 Operational management Data and Information Management
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Behavior
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Behavior
    Delay sending incident response notifications under predetermined conditions. CC ID 00804 Operational management Behavior
    Establish, implement, and maintain incident response notifications. CC ID 12975 Operational management Establish/Maintain Documentation
    Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 Operational management Communicate
    Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 Operational management Business Processes
    Send paper incident response notifications to affected parties, as necessary. CC ID 00366 Operational management Behavior
    Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 Operational management Behavior
    Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 Operational management Behavior
    Telephone incident response notifications to affected parties, as necessary. CC ID 04650 Operational management Behavior
    Publish the incident response notification in a general circulation periodical. CC ID 04651 Operational management Behavior
    Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 Operational management Behavior
    Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 Operational management Communicate
    Include incident recovery procedures in the Incident Management program. CC ID 01758 Operational management Establish/Maintain Documentation
    Change wireless access variables after a data loss event has been detected. CC ID 01756 Operational management Technical Security
    Eradicate the cause of the incident after the incident has been contained. CC ID 01757 Operational management Business Processes
    Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 Operational management Human Resources Management
    Re-image compromised systems with secure builds. CC ID 12086 Operational management Technical Security
    Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 Operational management Establish/Maintain Documentation
    Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 Operational management Log Management
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Operational management Communicate
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Operational management Technical Security
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Technical Security
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Technical Security
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Communicate
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Communicate
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Communicate
    Change or destroy any personal data that is incorrect. CC ID 00462
    [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]
    Privacy protection for information and data Data and Information Management
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Behavior
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Data and Information Management
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]
    Privacy protection for information and data Business Processes
  • Detective
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Log Management
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Monitor and Evaluate Occurrences
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Testing
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Testing
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Testing
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Business Processes
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Investigate
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Investigate
    Provide security inspectors access to personnel files during site reviews. CC ID 12300 Human Resources management Audits and Risk Management
    Establish, implement, and maintain an anti-money laundering program. CC ID 13675 Operational management Business Processes
    Determine the cost of the incident when assessing security incidents. CC ID 17188 Operational management Process or Activity
    Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 Operational management Process or Activity
    Determine the duration of the incident when assessing security incidents. CC ID 17181 Operational management Process or Activity
    Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 Operational management Monitor and Evaluate Occurrences
    Require personnel to monitor for and report suspicious account activity. CC ID 16462 Operational management Monitor and Evaluate Occurrences
    Identify root causes of incidents that force system changes. CC ID 13482 Operational management Investigate
    Respond to and triage when an incident is detected. CC ID 06942 Operational management Monitor and Evaluate Occurrences
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Operational management Establish/Maintain Documentation
    Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 Operational management Investigate
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 Operational management Establish/Maintain Documentation
    Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 Operational management Establish/Maintain Documentation
    Analyze the incident response process following an incident response. CC ID 13179 Operational management Investigate
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Log Management
    Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 Operational management Behavior
    Avoid false positive incident response notifications. CC ID 04732 Operational management Behavior
    Include information required by law in incident response notifications. CC ID 00802 Operational management Establish/Maintain Documentation
    Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 Operational management Establish/Maintain Documentation
    Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 Operational management Monitor and Evaluate Occurrences
    Test incident monitoring procedures. CC ID 13194 Operational management Testing
    Conduct incident investigations, as necessary. CC ID 13826 Operational management Process or Activity
    Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 Operational management Investigate
    Identify the affected parties during incident investigations. CC ID 16781 Operational management Investigate
    Interview suspects during incident investigations, as necessary. CC ID 14041 Operational management Investigate
    Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 Operational management Investigate
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Establish/Maintain Documentation
    Require a data protection impact assessment when profiling the data subject. CC ID 12680
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3.
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]
    Privacy protection for information and data Process or Activity
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Investigate
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Data and Information Management
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]
    Privacy protection for information and data Human Resources Management
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Behavior
    Record restricted data correctly. CC ID 00089 Privacy protection for information and data Testing
    Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 Privacy protection for information and data Testing
    Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 Privacy protection for information and data Data and Information Management
    Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 Privacy protection for information and data Behavior
    Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 Privacy protection for information and data Data and Information Management
    Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 Privacy protection for information and data Business Processes
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888
    [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Third Party and supply chain oversight Establish/Maintain Documentation
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Third Party and supply chain oversight Establish/Maintain Documentation
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    542
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]
    Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Business Processes
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Establish Roles
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 Leadership and high level objectives Communicate
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Audits and Risk Management
    Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 Monitoring and measurement Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Establish/Maintain Documentation
    Implement a fraud detection system. CC ID 13081
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Business Processes
    Establish, implement, and maintain a system security plan. CC ID 01922
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Establish/Maintain Documentation
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Establish/Maintain Documentation
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Establish/Maintain Documentation
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Testing
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Acquisition/Sale of Assets or Services
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Monitoring and measurement Establish/Maintain Documentation
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Establish/Maintain Documentation
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830
    [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e)
    {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6)
    Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]
    Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Establish/Maintain Documentation
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Establish/Maintain Documentation
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313
    [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]
    Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Establish/Maintain Documentation
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Establish/Maintain Documentation
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635
    [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an authorized representatives policy. CC ID 13798
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Technical security Establish/Maintain Documentation
    Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 Technical security Establish/Maintain Documentation
    Include termination procedures in the authorized representatives policy. CC ID 17226 Technical security Establish/Maintain Documentation
    Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 Technical security Establish/Maintain Documentation
    Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 Technical security Establish/Maintain Documentation
    Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004 Technical security Technical Security
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Establish Roles
    Enforce access restrictions for restricted data. CC ID 01921
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Technical security Data and Information Management
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Human Resources Management
    Identify and define all critical roles. CC ID 00777 Human Resources management Establish Roles
    Define and assign the data processor's roles and responsibilities. CC ID 12607
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]
    Human Resources management Human Resources Management
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677
    [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]
    Human Resources management Human Resources Management
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Communicate
    Establish, implement, and maintain a legal support program. CC ID 13710
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Human Resources Management
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Communicate
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Behavior
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Investigate
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Behavior
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Monitor and Evaluate Occurrences
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Monitor and Evaluate Occurrences
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Business Processes
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Business Processes
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Communicate
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Establish/Maintain Documentation
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Behavior
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Behavior
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Behavior
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Human Resources management Human Resources Management
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Human Resources Management
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373
    [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Operational management Business Processes
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Establish/Maintain Documentation
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Business Processes
    Establish, implement, and maintain an incident management policy. CC ID 16414 Operational management Establish/Maintain Documentation
    Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 Operational management Communicate
    Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 Operational management Human Resources Management
    Define the uses and capabilities of the Incident Management program. CC ID 00854 Operational management Establish/Maintain Documentation
    Include incident escalation procedures in the Incident Management program. CC ID 00856 Operational management Establish/Maintain Documentation
    Define the characteristics of the Incident Management program. CC ID 00855 Operational management Establish/Maintain Documentation
    Include the criteria for a data loss event in the Incident Management program. CC ID 12179 Operational management Establish/Maintain Documentation
    Include the criteria for an incident in the Incident Management program. CC ID 12173 Operational management Establish/Maintain Documentation
    Include a definition of affected transactions in the incident criteria. CC ID 17180 Operational management Establish/Maintain Documentation
    Include a definition of affected parties in the incident criteria. CC ID 17179 Operational management Establish/Maintain Documentation
    Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 Operational management Establish/Maintain Documentation
    Include incident monitoring procedures in the Incident Management program. CC ID 01207
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Establish/Maintain Documentation
    Categorize the incident following an incident response. CC ID 13208 Operational management Technical Security
    Define and document the criteria to be used in categorizing incidents. CC ID 10033 Operational management Establish/Maintain Documentation
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Establish/Maintain Documentation
    Include the investigation methodology in the forensic investigation report. CC ID 17071 Operational management Establish/Maintain Documentation
    Include corrective actions in the forensic investigation report. CC ID 17070 Operational management Establish/Maintain Documentation
    Include the investigation results in the forensic investigation report. CC ID 17069 Operational management Establish/Maintain Documentation
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Data and Information Management
    Redact restricted data before sharing incident information. CC ID 16994 Operational management Data and Information Management
    Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 Operational management Communicate
    Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 Operational management Communicate
    Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 Operational management Establish/Maintain Documentation
    Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 Operational management Communicate
    Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 Operational management Communicate
    Remediate security violations according to organizational standards. CC ID 12338 Operational management Business Processes
    Include data loss event notifications in the Incident Response program. CC ID 00364 Operational management Establish/Maintain Documentation
    Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 Operational management Establish/Maintain Documentation
    Include required information in the written request to delay the notification to affected parties. CC ID 16785 Operational management Establish/Maintain Documentation
    Submit written requests to delay the notification of affected parties. CC ID 16783 Operational management Communicate
    Revoke the written request to delay the notification. CC ID 16843 Operational management Process or Activity
    Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 Operational management Establish/Maintain Documentation
    Refrain from charging for providing incident response notifications. CC ID 13876 Operational management Business Processes
    Title breach notifications "Notice of Data Breach". CC ID 12977 Operational management Establish/Maintain Documentation
    Display titles of incident response notifications clearly and conspicuously. CC ID 12986 Operational management Establish/Maintain Documentation
    Display headings in incident response notifications clearly and conspicuously. CC ID 12987 Operational management Establish/Maintain Documentation
    Design the incident response notification to call attention to its nature and significance. CC ID 12984 Operational management Establish/Maintain Documentation
    Use plain language to write incident response notifications. CC ID 12976 Operational management Establish/Maintain Documentation
    Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 Operational management Establish/Maintain Documentation
    Refrain from including restricted information in the incident response notification. CC ID 16806 Operational management Actionable Reports or Measurements
    Include the affected parties rights in the incident response notification. CC ID 16811 Operational management Establish/Maintain Documentation
    Include details of the investigation in incident response notifications. CC ID 12296 Operational management Establish/Maintain Documentation
    Include the issuer's name in incident response notifications. CC ID 12062 Operational management Establish/Maintain Documentation
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Establish/Maintain Documentation
    Include a general description of the data loss event in incident response notifications. CC ID 04734 Operational management Establish/Maintain Documentation
    Include time information in incident response notifications. CC ID 04745 Operational management Establish/Maintain Documentation
    Include the identification of the data source in incident response notifications. CC ID 12305 Operational management Establish/Maintain Documentation
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Establish/Maintain Documentation
    Include the type of information that was lost in incident response notifications. CC ID 04735 Operational management Establish/Maintain Documentation
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Establish/Maintain Documentation
    Include a "What We Are Doing" heading in the breach notification. CC ID 12982 Operational management Establish/Maintain Documentation
    Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 Operational management Establish/Maintain Documentation
    Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 Operational management Establish/Maintain Documentation
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Establish/Maintain Documentation
    Include details of the companies and persons involved in incident response notifications. CC ID 12295 Operational management Establish/Maintain Documentation
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Establish/Maintain Documentation
    Include the reporting individual's contact information in incident response notifications. CC ID 12297 Operational management Establish/Maintain Documentation
    Include any consequences in the incident response notifications. CC ID 12604 Operational management Establish/Maintain Documentation
    Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 Operational management Establish/Maintain Documentation
    Include a "What You Can Do" heading in the breach notification. CC ID 12980 Operational management Establish/Maintain Documentation
    Include contact information in incident response notifications. CC ID 04739 Operational management Establish/Maintain Documentation
    Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 Operational management Communicate
    Post the incident response notification on the organization's website. CC ID 16809 Operational management Process or Activity
    Document the determination for providing a substitute incident response notification. CC ID 16841 Operational management Process or Activity
    Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 Operational management Behavior
    Include contact information in the substitute incident response notification. CC ID 16776 Operational management Establish/Maintain Documentation
    Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 Operational management Establish/Maintain Documentation
    Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 Operational management Behavior
    Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 Operational management Behavior
    Establish, implement, and maintain a containment strategy. CC ID 13480 Operational management Establish/Maintain Documentation
    Include the containment approach in the containment strategy. CC ID 13486 Operational management Establish/Maintain Documentation
    Include response times in the containment strategy. CC ID 13485 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a restoration log. CC ID 12745 Operational management Establish/Maintain Documentation
    Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 Operational management Data and Information Management
    Include a description of the restored data in the restoration log. CC ID 15462 Operational management Data and Information Management
    Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 Operational management Establish/Maintain Documentation
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Establish/Maintain Documentation
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 Operational management Monitor and Evaluate Occurrences
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Operational management Investigate
    Update the incident response procedures using the lessons learned. CC ID 01233 Operational management Establish/Maintain Documentation
    Include incident response procedures in the Incident Management program. CC ID 01218 Operational management Establish/Maintain Documentation
    Integrate configuration management procedures into the incident management program. CC ID 13647 Operational management Technical Security
    Include incident management procedures in the Incident Management program. CC ID 12689 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 Operational management Establish/Maintain Documentation
    Include after-action analysis procedures in the Incident Management program. CC ID 01219 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 Operational management Establish/Maintain Documentation
    Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 Operational management Establish/Maintain Documentation
    Destroy investigative materials, as necessary. CC ID 17082 Operational management Data and Information Management
    Establish, implement, and maintain incident management audit logs. CC ID 13514 Operational management Records Management
    Log incidents in the Incident Management audit log. CC ID 00857 Operational management Establish/Maintain Documentation
    Include who the incident was reported to in the incident management audit log. CC ID 16487 Operational management Log Management
    Include the information that was exchanged in the incident management audit log. CC ID 16995 Operational management Log Management
    Include corrective actions in the incident management audit log. CC ID 16466 Operational management Establish/Maintain Documentation
    Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 Operational management Log Management
    Include emergency processing priorities in the Incident Management program. CC ID 00859 Operational management Establish/Maintain Documentation
    Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 Operational management Establish/Maintain Documentation
    Include incident record closure procedures in the Incident Management program. CC ID 01620 Operational management Establish/Maintain Documentation
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Operational management Communicate
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Establish/Maintain Documentation
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Operational management Establish Roles
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Establish Roles
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Establish/Maintain Documentation
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Establish/Maintain Documentation
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Refrain from providing products and services, as necessary. CC ID 15580
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Data and Information Management
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Establish/Maintain Documentation
    Include the processing purpose in the privacy notice. CC ID 16543
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data collection categories in the privacy notice. CC ID 13457
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the types of personal data disclosed in the privacy notice. CC ID 13446
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Establish/Maintain Documentation
    Include the information about the appeal process in the privacy notice. CC ID 15312
    [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Deliver privacy notices to data subjects, as necessary. CC ID 13444
    [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]
    Privacy protection for information and data Communicate
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Establish/Maintain Documentation
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467
    [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Privacy protection for information and data Communicate
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]
    Privacy protection for information and data Data and Information Management
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Business Processes
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Business Processes
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Process or Activity
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Process or Activity
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397
    [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)
    If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Protect private communications in keeping with compliance requirements. CC ID 14334
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Business Processes
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request procedures. CC ID 16546
    [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Human Resources Management
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Business Processes
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Business Processes
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Privacy protection for information and data Data and Information Management
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451
    [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e)
    {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]
    Privacy protection for information and data Business Processes
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Behavior
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]
    Privacy protection for information and data Process or Activity
    Cooperate with Data Protection Authorities. CC ID 06870
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650
    [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Establish/Maintain Documentation
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685
    [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the duration of processing in the Data Processing Contract. CC ID 14935
    [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679
    [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678
    [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c)
    {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676
    [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2)
    A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1)
    {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686
    [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]
    Privacy protection for information and data Human Resources Management
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670
    [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093
    [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Data and Information Management
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Data and Information Management
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Behavior
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Data and Information Management
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Behavior
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Behavior
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115
    [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]
    Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Behavior
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish, implement, and maintain data access procedures. CC ID 00414
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545
    [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]
    Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Behavior
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Communicate
    Delay responding to data access requests, as necessary. CC ID 15504
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject after personal data is used or disclosed. CC ID 06247
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Behavior
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Records Management
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667
    [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]
    Privacy protection for information and data Process or Activity
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197
    [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]
    Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Business Processes
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Business Processes
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Business Processes
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Business Processes
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Process or Activity
    Process restricted data lawfully and carefully. CC ID 00086
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Privacy protection for information and data Establish Roles
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Technical Security
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Records Management
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Data and Information Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Records Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Process or Activity
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Records Management
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Data and Information Management
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 Privacy protection for information and data Business Processes
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Establish/Maintain Documentation
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Establish/Maintain Documentation
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Data and Information Management
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Data and Information Management
    Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 Privacy protection for information and data Business Processes
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Data and Information Management
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Data and Information Management
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Data and Information Management
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Data and Information Management
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Data and Information Management
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]
    Privacy protection for information and data Data and Information Management
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Data and Information Management
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Data and Information Management
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Data and Information Management
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Business Processes
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Data and Information Management
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Data and Information Management
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Data and Information Management
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Data and Information Management
    Process personal data for surveys, archives, or scientific research. CC ID 00192
    [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]
    Privacy protection for information and data Data and Information Management
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Data and Information Management
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Data and Information Management
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Data and Information Management
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Data and Information Management
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Data and Information Management
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Establish/Maintain Documentation
    Capture personal data removal requests. CC ID 13507
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]
    Privacy protection for information and data Communicate
    Remove personal data from records after receiving a personal data removal request. CC ID 11972
    [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]
    Privacy protection for information and data Records Management
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Process or Activity
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178
    [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]
    Privacy protection for information and data Data and Information Management
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Data and Information Management
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Data and Information Management
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Data and Information Management
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Data and Information Management
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Behavior
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Data and Information Management
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Data and Information Management
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Establish/Maintain Documentation
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Data and Information Management
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]
    Privacy protection for information and data Establish/Maintain Documentation
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Data and Information Management
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Data and Information Management
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Data and Information Management
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Process or Activity
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Data and Information Management
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Data and Information Management
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Data and Information Management
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Data and Information Management
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Data and Information Management
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Data and Information Management
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Data and Information Management
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Communicate
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Data and Information Management
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Process or Activity
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]
    Privacy protection for information and data Data and Information Management
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Data and Information Management
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Communicate
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Data and Information Management
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]
    Privacy protection for information and data Communicate
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Data and Information Management
    Provide data at a cost that is not excessive. CC ID 00430
    [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)
    {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]
    Privacy protection for information and data Data and Information Management
    Provide records or data in a reasonable manner. CC ID 00431
    [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]
    Privacy protection for information and data Data and Information Management
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Data and Information Management
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Data and Information Management
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Data and Information Management
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Data and Information Management
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from collecting personal data, as necessary. CC ID 15269
    [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Establish/Maintain Documentation
    Use personal data for specified purposes. CC ID 11831
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.
    {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6)
    {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Establish/Maintain Documentation
    Collect the minimum amount of restricted data necessary. CC ID 00078
    [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]
    Privacy protection for information and data Data and Information Management
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027
    [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c)
    The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d)
    {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]
    Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126
    [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a)
    {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b)
    {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a)
    {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]
    Privacy protection for information and data Data and Information Management
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Data and Information Management
    Store de-identifying code and re-identifying code separately. CC ID 16535
    [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]
    Privacy protection for information and data Data and Information Management
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Data and Information Management
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Data and Information Management
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Behavior
    Define the organization's liability based on the applicable law. CC ID 00504
    [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3)
    A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Establish/Maintain Documentation
    Define the appeal process based on the applicable law. CC ID 00506
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)
    {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Process or Activity
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Process or Activity
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544
    [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]
    Privacy protection for information and data Communicate
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542
    [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]
    Privacy protection for information and data Communicate
    Establish, implement, and maintain a Customer Information Management program. CC ID 00084 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain customer data authentication procedures. CC ID 13187
    [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d)
    {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]
    Privacy protection for information and data Establish/Maintain Documentation
    Check the accuracy of restricted data. CC ID 00088 Privacy protection for information and data Data and Information Management
    Check the data accuracy of new accounts. CC ID 04859 Privacy protection for information and data Data and Information Management
    Use documents for identification that do not appear altered or forged. CC ID 04860 Privacy protection for information and data Establish/Maintain Documentation
    Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 Privacy protection for information and data Data and Information Management
    Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 Privacy protection for information and data Data and Information Management
    Correlate the applicant's social security number with their date of birth. CC ID 04864 Privacy protection for information and data Data and Information Management
    Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 Privacy protection for information and data Data and Information Management
    Compare the applicant's personal data against known fraudulent activities. CC ID 04865 Privacy protection for information and data Data and Information Management
    Compare the applicant's address against known suspicious addresses. CC ID 04866 Privacy protection for information and data Data and Information Management
    Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 Privacy protection for information and data Data and Information Management
    Provide additional personal data when the application is incomplete. CC ID 04869 Privacy protection for information and data Data and Information Management
    Interview appropriate parties to validate consumer information. CC ID 16902 Privacy protection for information and data Process or Activity
    Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 Privacy protection for information and data Business Processes
    Use contact methods specified by the consumer for identity verification. CC ID 16878 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f)
    Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518
    [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Business Processes
    Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 Third Party and supply chain oversight Communicate
    Include the audit scope in the third party external audit report. CC ID 13138 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Business Processes
    Provide products or services per customer requests. CC ID 08893
    [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]
    Third Party and supply chain oversight Business Processes