Authority Document - Unified Compliance

Back

North America > Kentucky State Legislature

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

AD ID

0003948

AD STATUS

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

ORIGINATOR

Kentucky State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

Free

SYNONYMS

Kentucky Consumer Data Protection Act

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.

URL

Click here

AD ID

0003948

AD STATUS

Free

ORIGINATOR

Kentucky State Legislature

TYPE

Statutes (Bills or Acts)

AVAILABILITY

SYNONYMS

Kentucky Consumer Data Protection Act

Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 107 Mandated Controls - bold
75 Implied Controls - italic 469 Implementation

Number of Controls

651 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition/Sale of Assets or Services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Acquisition/Sale of Assets or Services	Preventive

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Establish/Maintain Documentation	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Establish/Maintain Documentation	Preventive
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Audits and Risk Management	Detective
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources Management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Communicate	Preventive
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Behavior	Preventive
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Investigate	Preventive
Establish, implement, and maintain an ethical culture. CC ID 12781	Behavior	Preventive
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Monitor and Evaluate Occurrences	Preventive
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Monitor and Evaluate Occurrences	Preventive
Refrain from practicing false advertising. CC ID 14253	Business Processes	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Business Processes	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Communicate	Preventive
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Establish/Maintain Documentation	Preventive
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Behavior	Preventive
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Behavior	Preventive
Respond to ethics complaints of ethics violations. CC ID 11497	Business Processes	Corrective
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Behavior	Preventive
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources Management	Preventive
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources Management	Preventive
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources Management	Preventive
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Establish Roles	Preventive
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Behavior	Preventive
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Behavior	Preventive
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Behavior	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Communicate	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Audits and Risk Management	Preventive
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Establish/Maintain Documentation	Preventive
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Business Processes	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Process or Activity	Corrective
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274	Establish/Maintain Documentation	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Establish/Maintain Documentation	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]	Monitor and Evaluate Occurrences	Detective
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Establish/Maintain Documentation	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Business Processes	Detective
Determine the causes of compliance violations. CC ID 12401	Investigate	Corrective
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Establish/Maintain Documentation	Preventive
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Investigate	Detective
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Process or Activity	Corrective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Investigate	Detective
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Behavior	Corrective
Align disciplinary actions with the level of compliance violation. CC ID 12404	Human Resources Management	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Establish/Maintain Documentation	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Establish/Maintain Documentation	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Establish/Maintain Documentation	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Establish/Maintain Documentation	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Establish/Maintain Documentation	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Establish/Maintain Documentation	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Communicate	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Establish/Maintain Documentation	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Establish/Maintain Documentation	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Establish/Maintain Documentation	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Establish/Maintain Documentation	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Establish/Maintain Documentation	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Establish/Maintain Documentation	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Establish/Maintain Documentation	Preventive

Operational management

181

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Business Processes	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Establish/Maintain Documentation	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Communicate	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Human Resources Management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Establish/Maintain Documentation	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Establish/Maintain Documentation	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Establish/Maintain Documentation	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Business Processes	Detective
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Establish/Maintain Documentation	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650	Monitor and Evaluate Occurrences	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Monitor and Evaluate Occurrences	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Monitor and Evaluate Occurrences	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Investigate	Detective
Respond to and triage when an incident is detected. CC ID 06942	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Refrain from accessing compromised systems. CC ID 01752	Technical Security	Corrective
Isolate compromised systems from the network. CC ID 01753	Technical Security	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Log Management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Technical Security	Corrective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Investigate	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Establish/Maintain Documentation	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Establish/Maintain Documentation	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Establish/Maintain Documentation	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Establish/Maintain Documentation	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Establish/Maintain Documentation	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Establish/Maintain Documentation	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze the incident response process following an incident response. CC ID 13179	Investigate	Detective
Share incident information with interested personnel and affected parties. CC ID 01212	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Redact restricted data before sharing incident information. CC ID 16994	Data and Information Management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Remediate security violations according to organizational standards. CC ID 12338	Business Processes	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Establish, implement, and maintain a containment strategy. CC ID 13480	Establish/Maintain Documentation	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Establish/Maintain Documentation	Preventive
Include response times in the containment strategy. CC ID 13485	Establish/Maintain Documentation	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Establish/Maintain Documentation	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Technical Security	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Business Processes	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Establish/Maintain Documentation	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Data and Information Management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Data and Information Management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Human Resources Management	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Establish/Maintain Documentation	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Monitor and Evaluate Occurrences	Detective
Re-image compromised systems with secure builds. CC ID 12086	Technical Security	Corrective
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Monitor and Evaluate Occurrences	Preventive
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Investigate	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Establish/Maintain Documentation	Preventive
Test incident monitoring procedures. CC ID 13194	Testing	Detective
Include incident response procedures in the Incident Management program. CC ID 01218	Establish/Maintain Documentation	Preventive
Integrate configuration management procedures into the incident management program. CC ID 13647	Technical Security	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Establish/Maintain Documentation	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Process or Activity	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Investigate	Detective
Identify the affected parties during incident investigations. CC ID 16781	Investigate	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Investigate	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Investigate	Detective
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Establish/Maintain Documentation	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Data and Information Management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Records Management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Establish/Maintain Documentation	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Log Management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Log Management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Establish/Maintain Documentation	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Establish/Maintain Documentation	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Communicate	Corrective
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective

Privacy protection for information and data

311

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]	Establish/Maintain Documentation	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Establish/Maintain Documentation	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]	Process or Activity	Detective
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Establish/Maintain Documentation	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Human Resources Management	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Data and Information Management	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]	Business Processes	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Process or Activity	Preventive
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]	Data and Information Management	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Establish/Maintain Documentation	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Establish/Maintain Documentation	Preventive
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Process or Activity	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Behavior	Preventive
Respond to data access requests in an official language. CC ID 17176	Communicate	Preventive
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Data and Information Management	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Data and Information Management	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Data and Information Management	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Data and Information Management	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Data and Information Management	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Data and Information Management	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]	Human Resources Management	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]	Business Processes	Corrective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Behavior	Preventive
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Communicate	Preventive
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Data and Information Management	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Establish/Maintain Documentation	Preventive
Check the accuracy of restricted data. CC ID 00088	Data and Information Management	Preventive
Record restricted data correctly. CC ID 00089	Testing	Detective
Check the data accuracy of new accounts. CC ID 04859	Data and Information Management	Preventive
Use documents for identification that do not appear altered or forged. CC ID 04860	Establish/Maintain Documentation	Preventive
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Testing	Detective
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Data and Information Management	Preventive
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Data and Information Management	Preventive
Correlate the applicant's social security number with their date of birth. CC ID 04864	Data and Information Management	Preventive
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Data and Information Management	Preventive
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Data and Information Management	Preventive
Compare the applicant's address against known suspicious addresses. CC ID 04866	Data and Information Management	Preventive
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Data and Information Management	Preventive
Provide additional personal data when the application is incomplete. CC ID 04869	Data and Information Management	Preventive
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Data and Information Management	Detective
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Behavior	Detective
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Data and Information Management	Detective
Interview appropriate parties to validate consumer information. CC ID 16902	Process or Activity	Preventive
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Business Processes	Detective
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Business Processes	Preventive
Use contact methods specified by the consumer for identity verification. CC ID 16878	Process or Activity	Preventive

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a digital identity management program. CC ID 13713	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Establish/Maintain Documentation	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Establish/Maintain Documentation	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Establish/Maintain Documentation	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Establish/Maintain Documentation	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Data and Information Management	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]	Establish/Maintain Documentation	Preventive
Review and update all contracts, as necessary. CC ID 11612	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Process or Activity	Detective
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Establish/Maintain Documentation	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]	Establish/Maintain Documentation	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Business Processes	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Process or Activity	Detective
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Establish/Maintain Documentation	Detective
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Communicate	Preventive
Include the audit scope in the third party external audit report. CC ID 13138	Establish/Maintain Documentation	Preventive
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Establish/Maintain Documentation	Detective
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Business Processes	Preventive
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]	Business Processes	Preventive

Common Controls and
mandates by Type 107 Mandated Controls - bold
75 Implied Controls - italic 469 Implementation

Number of Controls

651 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Preventive
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Preventive
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Acquisition or sale of facilities, technology, and services	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Preventive
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Human Resources management	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Corrective
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Human Resources management	Preventive
Establish, implement, and maintain an ethical culture. CC ID 12781	Human Resources management	Preventive
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Human Resources management	Preventive
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Human Resources management	Preventive
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Human Resources management	Preventive
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Human Resources management	Preventive
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Human Resources management	Preventive
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Human Resources management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Detective
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Preventive
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Privacy protection for information and data	Detective

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Preventive
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Preventive
Approve the system security plan. CC ID 14241	Monitoring and measurement	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Detective
Refrain from practicing false advertising. CC ID 14253	Human Resources management	Preventive
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Preventive
Respond to ethics complaints of ethics violations. CC ID 11497	Human Resources management	Corrective
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Detective
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Corrective
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]	Privacy protection for information and data	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Preventive
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Preventive
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]	Privacy protection for information and data	Corrective
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Privacy protection for information and data	Detective
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Privacy protection for information and data	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Preventive
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]	Third Party and supply chain oversight	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Preventive
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]	Audits and risk management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Human Resources management	Preventive
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Human Resources management	Preventive
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Operational management	Corrective
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Privacy protection for information and data	Preventive
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Corrective
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Corrective
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Preventive
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Third Party and supply chain oversight	Preventive

Data and Information Management

149

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Technical security	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Preventive
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Preventive
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]	Privacy protection for information and data	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Privacy protection for information and data	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Preventive
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]	Privacy protection for information and data	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Privacy protection for information and data	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Preventive
Check the accuracy of restricted data. CC ID 00088	Privacy protection for information and data	Preventive
Check the data accuracy of new accounts. CC ID 04859	Privacy protection for information and data	Preventive
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Privacy protection for information and data	Preventive
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Privacy protection for information and data	Preventive
Correlate the applicant's social security number with their date of birth. CC ID 04864	Privacy protection for information and data	Preventive
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Privacy protection for information and data	Preventive
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Privacy protection for information and data	Preventive
Compare the applicant's address against known suspicious addresses. CC ID 04866	Privacy protection for information and data	Preventive
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Privacy protection for information and data	Preventive
Provide additional personal data when the application is incomplete. CC ID 04869	Privacy protection for information and data	Preventive
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Privacy protection for information and data	Detective
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Privacy protection for information and data	Detective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Human Resources management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

256

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Preventive
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Preventive
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Preventive
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Preventive
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Preventive
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Preventive
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Preventive
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Preventive
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Preventive
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Preventive
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Preventive
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Preventive
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Preventive
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Preventive
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Monitoring and measurement	Preventive
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Preventive
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Preventive
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Preventive
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Preventive
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Preventive
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Preventive
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Preventive
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Preventive
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Preventive
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Preventive
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Preventive
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Preventive
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Preventive
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Preventive
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Preventive
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Preventive
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Technical security	Preventive
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Preventive
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Preventive
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Preventive
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Preventive
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]	Operational management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Preventive
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Preventive
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Preventive
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Preventive
Include response times in the containment strategy. CC ID 13485	Operational management	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Preventive
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Preventive
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Preventive
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Preventive
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]	Privacy protection for information and data	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]	Privacy protection for information and data	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]	Privacy protection for information and data	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]	Privacy protection for information and data	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Privacy protection for information and data	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]	Privacy protection for information and data	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Preventive
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Preventive
Use documents for identification that do not appear altered or forged. CC ID 04860	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]	Third Party and supply chain oversight	Preventive
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]	Third Party and supply chain oversight	Preventive
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Third Party and supply chain oversight	Detective
Include the audit scope in the third party external audit report. CC ID 13138	Third Party and supply chain oversight	Preventive
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Third Party and supply chain oversight	Detective
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Third Party and supply chain oversight	Detective

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Preventive
Align disciplinary actions with the level of compliance violation. CC ID 12404	Monitoring and measurement	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]	Human Resources management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Human Resources management	Preventive
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Preventive
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Preventive
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources management	Preventive
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources management	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Corrective
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]	Privacy protection for information and data	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]	Privacy protection for information and data	Detective

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Determine the causes of compliance violations. CC ID 12401	Monitoring and measurement	Corrective
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Monitoring and measurement	Detective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Monitoring and measurement	Detective
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Human Resources management	Preventive
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Detective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Detective
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Detective
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Preventive
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Detective
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Detective
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]	Monitoring and measurement	Detective
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Human Resources management	Preventive
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Human Resources management	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Detective
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Corrective
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Detective
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Corrective
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Preventive
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Monitoring and measurement	Corrective
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]	Audits and risk management	Preventive
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Detective
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]	Privacy protection for information and data	Detective
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Privacy protection for information and data	Preventive
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Privacy protection for information and data	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Privacy protection for information and data	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive
Interview appropriate parties to validate consumer information. CC ID 16902	Privacy protection for information and data	Preventive
Use contact methods specified by the consumer for identity verification. CC ID 16878	Privacy protection for information and data	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Detective
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]	Privacy protection for information and data	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Categorize the incident following an incident response. CC ID 13208	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Refrain from accessing compromised systems. CC ID 01752	Operational management	Corrective
Isolate compromised systems from the network. CC ID 01753	Operational management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Corrective
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Corrective
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Preventive
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Detective
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Detective
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Detective
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Preventive
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Corrective
Test incident monitoring procedures. CC ID 13194	Operational management	Detective
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Detective
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Privacy protection for information and data	Detective

Common Controls and
mandates by Classification 107 Mandated Controls - bold
75 Implied Controls - italic 469 Implementation

Number of Controls

651 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Process or Activity
Determine the causes of compliance violations. CC ID 12401	Monitoring and measurement	Investigate
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Monitoring and measurement	Process or Activity
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Monitoring and measurement	Behavior
Respond to ethics complaints of ethics violations. CC ID 11497	Human Resources management	Business Processes
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Monitor and Evaluate Occurrences
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Refrain from accessing compromised systems. CC ID 01752	Operational management	Technical Security
Isolate compromised systems from the network. CC ID 01753	Operational management	Technical Security
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Log Management
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Technical Security
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Testing
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Monitor and Evaluate Occurrences
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Include incident recovery procedures in the Incident Management program. CC ID 01758	Operational management	Establish/Maintain Documentation
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Technical Security
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Business Processes
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Human Resources Management
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Technical Security
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Log Management
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Communicate
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)]	Privacy protection for information and data	Business Processes

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Monitor and Evaluate Occurrences
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Testing
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Testing
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Testing
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Monitoring and measurement	Business Processes
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Monitoring and measurement	Investigate
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Monitoring and measurement	Investigate
Provide security inspectors access to personnel files during site reviews. CC ID 12300	Human Resources management	Audits and Risk Management
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Business Processes
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Monitor and Evaluate Occurrences
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Monitor and Evaluate Occurrences
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Investigate
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Establish/Maintain Documentation
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Investigate
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Establish/Maintain Documentation
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Establish/Maintain Documentation
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Investigate
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Monitor and Evaluate Occurrences
Test incident monitoring procedures. CC ID 13194	Operational management	Testing
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Process or Activity
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Investigate
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Investigate
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Investigate
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Establish/Maintain Documentation
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.]	Privacy protection for information and data	Process or Activity
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Behavior
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Behavior
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Investigate
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)]	Privacy protection for information and data	Human Resources Management
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Testing
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861	Privacy protection for information and data	Testing
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870	Privacy protection for information and data	Data and Information Management
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871	Privacy protection for information and data	Behavior
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872	Privacy protection for information and data	Data and Information Management
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972	Privacy protection for information and data	Business Processes
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Process or Activity
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Process or Activity
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063	Third Party and supply chain oversight	Establish/Maintain Documentation
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065	Third Party and supply chain oversight	Establish/Maintain Documentation

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

536

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)]	Leadership and high level objectives	Establish/Maintain Documentation
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Business Processes
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Establish Roles
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945	Leadership and high level objectives	Communicate
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Audits and Risk Management
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983	Monitoring and measurement	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Establish/Maintain Documentation
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Business Processes
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Monitoring and measurement	Testing
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Establish/Maintain Documentation
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Establish/Maintain Documentation
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Establish/Maintain Documentation
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Establish/Maintain Documentation
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Establish/Maintain Documentation
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Establish/Maintain Documentation
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Establish/Maintain Documentation
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Communicate
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Establish/Maintain Documentation
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Establish/Maintain Documentation
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Establish/Maintain Documentation
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Process or Activity
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Establish/Maintain Documentation
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Establish/Maintain Documentation
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Establish/Maintain Documentation
Approve the system security plan. CC ID 14241	Monitoring and measurement	Business Processes
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Establish/Maintain Documentation
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Establish/Maintain Documentation
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Establish/Maintain Documentation
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Testing
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Monitoring and measurement	Establish/Maintain Documentation
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Monitoring and measurement	Establish/Maintain Documentation
Align disciplinary actions with the level of compliance violation. CC ID 12404	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain disciplinary action notices. CC ID 16577	Monitoring and measurement	Establish/Maintain Documentation
Include a copy of the order in the disciplinary action notice. CC ID 16606	Monitoring and measurement	Establish/Maintain Documentation
Include the sanctions imposed in the disciplinary action notice. CC ID 16599	Monitoring and measurement	Establish/Maintain Documentation
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589	Monitoring and measurement	Establish/Maintain Documentation
Include the requirements that were violated in the disciplinary action notice. CC ID 16588	Monitoring and measurement	Establish/Maintain Documentation
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587	Monitoring and measurement	Establish/Maintain Documentation
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585	Monitoring and measurement	Communicate
Include required information in the disciplinary action notice. CC ID 16584	Monitoring and measurement	Establish/Maintain Documentation
Include a justification for actions taken in the disciplinary action notice. CC ID 16583	Monitoring and measurement	Establish/Maintain Documentation
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582	Monitoring and measurement	Establish/Maintain Documentation
Include the investigation results in the disciplinary action notice. CC ID 16581	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580	Monitoring and measurement	Establish/Maintain Documentation
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579	Monitoring and measurement	Establish/Maintain Documentation
Include contact information in the disciplinary action notice. CC ID 16578	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)]	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)]	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Technical security	Establish/Maintain Documentation
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802	Technical security	Establish/Maintain Documentation
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801	Technical security	Establish/Maintain Documentation
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800	Technical security	Establish/Maintain Documentation
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Technical security	Data and Information Management
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)]	Human Resources management	Human Resources Management
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)]	Human Resources management	Human Resources Management
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Communicate
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Human Resources Management
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858	Human Resources management	Communicate
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908	Human Resources management	Behavior
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900	Human Resources management	Investigate
Establish, implement, and maintain an ethical culture. CC ID 12781	Human Resources management	Behavior
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873	Human Resources management	Monitor and Evaluate Occurrences
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872	Human Resources management	Monitor and Evaluate Occurrences
Refrain from practicing false advertising. CC ID 14253	Human Resources management	Business Processes
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806	Human Resources management	Business Processes
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859	Human Resources management	Communicate
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835	Human Resources management	Establish/Maintain Documentation
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608	Human Resources management	Behavior
Refrain from discriminating against employees who are whistleblowers. CC ID 13609	Human Resources management	Behavior
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607	Human Resources management	Behavior
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Human Resources management	Human Resources Management
Include prohibiting counterfeiting in the ethics program. CC ID 11517	Human Resources management	Human Resources Management
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055	Human Resources management	Human Resources Management
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061	Human Resources management	Establish Roles
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060	Human Resources management	Behavior
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059	Human Resources management	Behavior
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052	Human Resources management	Behavior
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Establish/Maintain Documentation
Apply security controls to each level of the information classification standard. CC ID 01903	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Business Processes
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Establish/Maintain Documentation
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885	Operational management	Communicate
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Human Resources Management
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Establish/Maintain Documentation
Include incident escalation procedures in the Incident Management program. CC ID 00856	Operational management	Establish/Maintain Documentation
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Establish/Maintain Documentation
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Establish/Maintain Documentation
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Establish/Maintain Documentation
Categorize the incident following an incident response. CC ID 13208	Operational management	Technical Security
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Establish/Maintain Documentation
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Establish/Maintain Documentation
Include the investigation methodology in the forensic investigation report. CC ID 17071	Operational management	Establish/Maintain Documentation
Include corrective actions in the forensic investigation report. CC ID 17070	Operational management	Establish/Maintain Documentation
Include the investigation results in the forensic investigation report. CC ID 17069	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Redact restricted data before sharing incident information. CC ID 16994	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Business Processes
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Establish/Maintain Documentation
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Establish/Maintain Documentation
Include response times in the containment strategy. CC ID 13485	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Establish/Maintain Documentation
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Data and Information Management
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Data and Information Management
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Establish/Maintain Documentation
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Establish/Maintain Documentation
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Monitor and Evaluate Occurrences
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Investigate
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Establish/Maintain Documentation
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Establish/Maintain Documentation
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Technical Security
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Include after-action analysis procedures in the Incident Management program. CC ID 01219	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Establish/Maintain Documentation
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Establish/Maintain Documentation
Destroy investigative materials, as necessary. CC ID 17082	Operational management	Data and Information Management
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Records Management
Log incidents in the Incident Management audit log. CC ID 00857	Operational management	Establish/Maintain Documentation
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include the information that was exchanged in the incident management audit log. CC ID 16995	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Log Management
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Establish/Maintain Documentation
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Establish/Maintain Documentation
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Communicate
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Establish/Maintain Documentation
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)]	Privacy protection for information and data	Establish/Maintain Documentation
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Establish/Maintain Documentation
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)]	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)]	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)]	Privacy protection for information and data	Establish/Maintain Documentation
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Business Processes
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Human Resources Management
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Business Processes
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Business Processes
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Data and Information Management
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.]	Privacy protection for information and data	Business Processes
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Behavior
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)]	Privacy protection for information and data	Process or Activity
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Establish/Maintain Documentation
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)]	Privacy protection for information and data	Human Resources Management
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Data and Information Management
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Data and Information Management
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Behavior
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)]	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Behavior
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)]	Privacy protection for information and data	Process or Activity
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Data and Information Management
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Privacy protection for information and data	Data and Information Management
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Data and Information Management
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Data and Information Management
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Data and Information Management
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Establish/Maintain Documentation
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Business Processes
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Behavior
Respond to data access requests in an official language. CC ID 17176	Privacy protection for information and data	Communicate
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Data and Information Management
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Data and Information Management
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Business Processes
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Process or Activity
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Data and Information Management
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Establish/Maintain Documentation
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Behavior
Refrain from processing restricted data, as necessary. CC ID 12551	Privacy protection for information and data	Records Management
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)]	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)]	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Business Processes
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Business Processes
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Business Processes
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Business Processes
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Process or Activity
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)]	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.]	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)]	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)]	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Data and Information Management
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Data and Information Management
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Behavior
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Data and Information Management
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Data and Information Management
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Establish/Maintain Documentation
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Data and Information Management
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)]	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)]	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)]	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)]	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Establish/Maintain Documentation
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)]	Privacy protection for information and data	Data and Information Management
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)]	Privacy protection for information and data	Data and Information Management
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Data and Information Management
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)]	Privacy protection for information and data	Data and Information Management
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Data and Information Management
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)]	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)]	Privacy protection for information and data	Establish/Maintain Documentation
Check the accuracy of restricted data. CC ID 00088	Privacy protection for information and data	Data and Information Management
Check the data accuracy of new accounts. CC ID 04859	Privacy protection for information and data	Data and Information Management
Use documents for identification that do not appear altered or forged. CC ID 04860	Privacy protection for information and data	Establish/Maintain Documentation
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862	Privacy protection for information and data	Data and Information Management
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863	Privacy protection for information and data	Data and Information Management
Correlate the applicant's social security number with their date of birth. CC ID 04864	Privacy protection for information and data	Data and Information Management
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867	Privacy protection for information and data	Data and Information Management
Compare the applicant's personal data against known fraudulent activities. CC ID 04865	Privacy protection for information and data	Data and Information Management
Compare the applicant's address against known suspicious addresses. CC ID 04866	Privacy protection for information and data	Data and Information Management
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868	Privacy protection for information and data	Data and Information Management
Provide additional personal data when the application is incomplete. CC ID 04869	Privacy protection for information and data	Data and Information Management
Interview appropriate parties to validate consumer information. CC ID 16902	Privacy protection for information and data	Process or Activity
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899	Privacy protection for information and data	Business Processes
Use contact methods specified by the consumer for identity verification. CC ID 16878	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Business Processes
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139	Third Party and supply chain oversight	Communicate
Include the audit scope in the third party external audit report. CC ID 13138	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878	Third Party and supply chain oversight	Business Processes
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)]	Third Party and supply chain oversight	Business Processes