0003948
Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act
Kentucky State Legislature
Statutes (Bills or Acts)
Free
Kentucky Consumer Data Protection Act
Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act
Not Defined
The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.
0003948
Free
Kentucky State Legislature
Statutes (Bills or Acts)
Kentucky Consumer Data Protection Act
Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act
Not Defined
The document as a whole was last reviewed and released on 2024-08-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Kentucky Revised Statutes Title XXIX Chapter 367 Sections 367.3611 thru 367.3629, Kentucky Consumer Data Protection Act are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition/Sale of Assets or Services | Preventive | |
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Acquisition/Sale of Assets or Services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)] | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)] | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)] | Human Resources Management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Human Resources Management | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Establish/Maintain Documentation | Preventive | |
Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Audits and Risk Management | Detective | |
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources Management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources Management | Preventive | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Establish/Maintain Documentation | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)] | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Audits and Risk Management | Preventive | |
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Business Processes | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Testing | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)] | Monitor and Evaluate Occurrences | Detective | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Process or Activity | Corrective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Business Processes | Preventive | |
Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Human Resources Management | Preventive | |
Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 | Establish/Maintain Documentation | Preventive | |
Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Establish/Maintain Documentation | Preventive | |
Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Communicate | Corrective | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Establish/Maintain Documentation | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)] | Establish/Maintain Documentation | Preventive | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Establish/Maintain Documentation | Preventive | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)] | Establish/Maintain Documentation | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)] | Establish/Maintain Documentation | Preventive | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)] | Establish/Maintain Documentation | Preventive | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)] | Establish/Maintain Documentation | Preventive | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)] | Communicate | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Establish/Maintain Documentation | Preventive | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.] | Process or Activity | Detective | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Communicate | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)] | Data and Information Management | Preventive | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Business Processes | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Establish/Maintain Documentation | Preventive | |
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Business Processes | Preventive | |
Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Establish/Maintain Documentation | Preventive | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Human Resources Management | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Business Processes | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Data and Information Management | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.] | Business Processes | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Process or Activity | Preventive | |
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)] | Data and Information Management | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Establish/Maintain Documentation | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Establish/Maintain Documentation | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Establish/Maintain Documentation | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Establish/Maintain Documentation | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Establish/Maintain Documentation | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)] | Human Resources Management | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Establish/Maintain Documentation | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)] | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)] | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Behavior | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Establish/Maintain Documentation | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Process or Activity | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Behavior | Preventive | |
Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Data and Information Management | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Behavior | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Behavior | Preventive | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Process or Activity | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Data and Information Management | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Establish Roles | Preventive | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Business Processes | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Business Processes | Preventive | |
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Business Processes | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)] | Data and Information Management | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)] | Data and Information Management | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.] | Communicate | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)] | Records Management | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Data and Information Management | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)] | Establish/Maintain Documentation | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Data and Information Management | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Data and Information Management | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Data and Information Management | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Communicate | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Data and Information Management | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)] | Data and Information Management | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Data and Information Management | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)] | Data and Information Management | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Data and Information Management | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Data and Information Management | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)] | Human Resources Management | Detective | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)] | Data and Information Management | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)] | Business Processes | Corrective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Behavior | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Establish/Maintain Documentation | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Establish/Maintain Documentation | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)] | Communicate | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Communicate | Preventive | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Establish/Maintain Documentation | Preventive | |
Check the accuracy of restricted data. CC ID 00088 | Data and Information Management | Preventive | |
Record restricted data correctly. CC ID 00089 | Testing | Detective | |
Check the data accuracy of new accounts. CC ID 04859 | Data and Information Management | Preventive | |
Use documents for identification that do not appear altered or forged. CC ID 04860 | Establish/Maintain Documentation | Preventive | |
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Testing | Detective | |
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Data and Information Management | Preventive | |
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Data and Information Management | Preventive | |
Correlate the applicant's social security number with their date of birth. CC ID 04864 | Data and Information Management | Preventive | |
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Data and Information Management | Preventive | |
Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Data and Information Management | Preventive | |
Compare the applicant's address against known suspicious addresses. CC ID 04866 | Data and Information Management | Preventive | |
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Data and Information Management | Preventive | |
Provide additional personal data when the application is incomplete. CC ID 04869 | Data and Information Management | Preventive | |
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Data and Information Management | Detective | |
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Behavior | Detective | |
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Data and Information Management | Detective | |
Interview appropriate parties to validate consumer information. CC ID 16902 | Process or Activity | Preventive | |
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Business Processes | Detective | |
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Business Processes | Preventive | |
Use contact methods specified by the consumer for identity verification. CC ID 16878 | Process or Activity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Establish/Maintain Documentation | Preventive | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Data and Information Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)] | Establish/Maintain Documentation | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)] | Establish/Maintain Documentation | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Establish/Maintain Documentation | Detective | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)] | Business Processes | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Preventive | |
Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Preventive | |
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Preventive | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Preventive | |
Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.] | Privacy protection for information and data | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Preventive | |
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Preventive | |
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)] | Privacy protection for information and data | Corrective | |
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Detective | |
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)] | Audits and risk management | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Operational management | Corrective | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Privacy protection for information and data | Preventive | |
Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.] | Privacy protection for information and data | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Technical security | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)] | Privacy protection for information and data | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Preventive | |
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)] | Privacy protection for information and data | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)] | Privacy protection for information and data | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Privacy protection for information and data | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)] | Privacy protection for information and data | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Preventive | |
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)] | Privacy protection for information and data | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Privacy protection for information and data | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)] | Privacy protection for information and data | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Preventive | |
Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Preventive | |
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Preventive | |
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Preventive | |
Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Preventive | |
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Preventive | |
Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Preventive | |
Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Preventive | |
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Preventive | |
Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Preventive | |
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Detective | |
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Leadership and high level objectives | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)] | Leadership and high level objectives | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Technical security | Preventive | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Preventive | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)] | Operational management | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Preventive | |
Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Preventive | |
Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Preventive | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Detective | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)] | Privacy protection for information and data | Preventive | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Preventive | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)] | Privacy protection for information and data | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)] | Privacy protection for information and data | Preventive | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)] | Privacy protection for information and data | Preventive | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)] | Privacy protection for information and data | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)] | Privacy protection for information and data | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Privacy protection for information and data | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Privacy protection for information and data | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)] | Privacy protection for information and data | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)] | Privacy protection for information and data | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)] | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)] | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)] | Privacy protection for information and data | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Privacy protection for information and data | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Preventive | |
Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)] | Third Party and supply chain oversight | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)] | Third Party and supply chain oversight | Preventive | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Third Party and supply chain oversight | Detective | |
Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)] | Human Resources management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Human Resources management | Preventive | |
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Preventive | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Preventive | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Preventive | |
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)] | Privacy protection for information and data | Preventive | |
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)] | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Detective | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)] | Monitoring and measurement | Detective | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Monitoring and measurement | Corrective | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)] | Audits and risk management | Preventive | |
Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.] | Privacy protection for information and data | Detective | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Privacy protection for information and data | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Privacy protection for information and data | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Preventive | |
Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Preventive | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5) {time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Monitoring and measurement | Process or Activity | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Operational management | Communicate | |
Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A controller shall comply with an authenticated consumer request to exercise the right to: Correct</span> ass="term_primary-noun">inaccuracies in the consumer's personal data, ="background-color:#CBD0E5;" class="term_secondary-verb">taking into account the nature of the personal data and the purposes of processing the data; § 367.3615 (2)(b)] | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; § 367.3625 (1)(b) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; § 367.3625 (1)(c)] | Privacy protection for information and data | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 367.3623 (5)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Audits and Risk Management | |
Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
Establish, implement, and maintain incident response procedures. CC ID 01206 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Establish/Maintain Documentation | |
Require a data protection impact assessment when profiling the data subject. CC ID 12680 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Unfair or deceptive treatment of consumers or disparate impact on consumers; § 367.3621 (1)(c) 1. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Financial, physical, or reputational injury to consumers; § 367.3621 (1)(c) 2. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or § 367.3621 (1)(c) 3. Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of: Other substantial injury to consumers; § 367.3621 (1)(c) 4.] | Privacy protection for information and data | Process or Activity | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Behavior | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
Review compliance with the organization's privacy objectives. CC ID 13490 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c)] | Privacy protection for information and data | Human Resources Management | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Testing | |
Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Data and Information Management | |
Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Behavior | |
Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Data and Information Management | |
Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Business Processes | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section. § 367.3625 (7)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Audits and Risk Management | |
Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
Implement a fraud detection system. CC ID 13081 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a system security plan. CC ID 01922 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Monitoring and measurement | Testing | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of targeted advertising; § 367.3621 (1)(a) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of personal data for the purposes of selling of personal data; § 367.3621 (1)(b) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: The processing of sensitive data; and § 367.3621 (1)(d) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: Any processing of personal data that presents a heightened risk of harm to consumers. § 367.3621 (1)(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 367.3621 (6) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data: § 367.3621 (1)] | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629. § 367.3621 (3)] | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller. § 367.3621 (2)] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Technical security | Establish/Maintain Documentation | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for restricted data. CC ID 01921 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Technical security | Data and Information Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615; § 367.3619 (1)(a)] | Human Resources management | Human Resources Management | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 [Such assistance shall include: Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and § 367.3619 (1)(b)] | Human Resources management | Human Resources Management | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
Establish, implement, and maintain a legal support program. CC ID 13710 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for, or defend legal claims; § 367.3625 (1)(d) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain an ethics program. CC ID 11496 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Human Resources Management | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Human Resources management | Human Resources Management | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} A controller shall: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; § 367.3617 (1)(c) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be comparable} Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. § 367.3621 (7) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Comply with federal, state, or local laws or regulations; § 367.3625 (1)(a)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Business Processes | |
Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Human Resources Management | |
Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Establish/Maintain Documentation | |
Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Establish/Maintain Documentation | |
Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; § 367.3625 (1)(i)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Establish Roles | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Refrain from providing products and services, as necessary. CC ID 15580 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the processing purpose in the privacy notice. CC ID 16543 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The purpose for processing personal data; § 367.3617 (3)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of third parties, if any, with whom the controller shares personal data. § 367.3617 (3)(e)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data processed by the controller; § 367.3617 (3)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of personal data disclosed in the privacy notice. CC ID 13446 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: The categories of personal data that the controller shares with third parties, if any; and § 367.3617 (3)(d)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the information about the appeal process in the privacy notice. CC ID 15312 [{process} Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; § 367.3617 (3)(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: § 367.3617 (3)] | Privacy protection for information and data | Communicate | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Privacy protection for information and data | Communicate | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a)] | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Business Processes | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A controller shall comply with an authenticated consumer request to exercise the right to: Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret; § 367.3615 (2)(a) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing. § 367.3617 (4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Protect private communications in keeping with compliance requirements. CC ID 14334 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data request procedures. CC ID 16546 [{be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Human Resources Management | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Business Processes | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Data and Information Management | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [A controller shall comply with an authenticated consumer request to exercise the right to: Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. § 367.3615 (2)(e) {opt out} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613. § 367.3615 (3)(e) 2.] | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{time requirement} Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor. § 367.3627 (2)] | Privacy protection for information and data | Process or Activity | |
Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{data processing contract} The contract shall also include requirements that the processor shall: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 367.3619 (2)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{processor} Such assistance shall include: Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621. § 367.3619 (1)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} The contract shall also include requirements that the processor shall: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; § 367.3619 (2)(c) {data processing contract} The contract shall also include requirements that the processor shall: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and § 367.3619 (2)(d)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable. § 367.3617 (2) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include: § 367.3619 (1) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall: § 367.3619 (2) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Assist another controller, processor, or third party with any of the obligations under this subsection. § 367.3625 (1)(k)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} The contract shall also include requirements that the processor shall: Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. § 367.3619 (2)(e)] | Privacy protection for information and data | Human Resources Management | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} The contract shall also include requirements that the processor shall: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 367.3619 (2)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [{not be necessary} {be incompatible} A controller shall: Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; § 367.3617 (1)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; § 367.3625 (1)(h)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Behavior | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow data subjects to submit data requests. CC ID 16545 [A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child. § 367.3615 (1)] | Privacy protection for information and data | Process or Activity | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
Respond to data access requests in a timely manner. CC ID 00421 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Behavior | |
Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
Delay responding to data access requests, as necessary. CC ID 15504 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Data and Information Management | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Behavior | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 367.3623 (3)(a)] | Privacy protection for information and data | Process or Activity | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [{be different} {refrain from requiring} A controller shall: Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and § 367.3617 (1)(d)] | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
Process restricted data lawfully and carefully. CC ID 00086 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Privacy protection for information and data | Establish Roles | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Business Processes | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Business Processes | |
Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Business Processes | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {refrain from adversely affecting} Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity. § 367.3625 (5)] | Privacy protection for information and data | Data and Information Management | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: § 367.3625 (1)(j) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
Capture personal data removal requests. CC ID 13507 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1.] | Privacy protection for information and data | Communicate | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A controller shall comply with an authenticated consumer request to exercise the right to: Delete personal data provided by or obtained about the consumer; § 367.3615 (2)(c)] | Privacy protection for information and data | Records Management | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [{external requirement} A controller shall: Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq. § 367.3617 (1)(e)] | Privacy protection for information and data | Data and Information Management | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and § 367.3623 (3)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 367.3623 (3)(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Data and Information Management | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Data and Information Management | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. § 367.3625 (3)] | Privacy protection for information and data | Data and Information Management | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension; § 367.3615 (3)(a)] | Privacy protection for information and data | Communicate | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
Provide data at a cost that is not excessive. CC ID 00430 [{stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c) {stipulated amount} {be unfounded} {be excessive} {be repetitive} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request; § 367.3615 (3)(c)] | Privacy protection for information and data | Data and Information Management | |
Provide records or data in a reasonable manner. CC ID 00431 [A controller shall comply with an authenticated consumer request to exercise the right to: Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and § 367.3615 (2)(d)] | Privacy protection for information and data | Data and Information Management | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use personal data for specified purposes. CC ID 11831 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or § 367.3615 (3)(e) 1. {be different} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: § 367.3625 (6) {be necessary} {be proportionate} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Reasonably necessary and proportionate to the purposes listed in this section; and § 367.3625 (6)(a) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be relevant} {be necessary} A controller shall: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; § 367.3617 (1)(a)] | Privacy protection for information and data | Data and Information Management | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Conduct internal research to develop, improve, or repair products, services, or technology; § 367.3625 (2)(a) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Effectuate a product recall; § 367.3625 (2)(b) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Identify and repair technical errors that impair existing or intended functionality; or § 367.3625 (2)(c) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party. § 367.3625 (2)(d) {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is: Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. § 367.3625 (6)(b)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [The controller in possession of de-identified data shall: Take reasonable measures to ensure the data cannot be associated with a natural person; § 367.3623 (1)(a) {public} The controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 367.3623 (1)(b) {refrain from requiring} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Re-identify de-identified data or pseudonymous data; or § 367.3623 (2)(a) {refrain from requiring} {de-identified data} Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. § 367.3623 (2)(b)] | Privacy protection for information and data | Data and Information Management | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
Store de-identifying code and re-identifying code separately. CC ID 16535 [The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. § 367.3623 (4)] | Privacy protection for information and data | Data and Information Management | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Behavior | |
Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629. § 367.3619 (3) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. § 367.3625 (4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4) {be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{stipulated timeframe} Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision; § 367.3615 (3)(b)] | Privacy protection for information and data | Communicate | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} {stipulated time frame} {be in writing} A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint. § 367.3615 (4)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows: If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and § 367.3615 (3)(d) {be secure} {be reliable} A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account. § 367.3617 (5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Data and Information Management | |
Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Data and Information Management | |
Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Establish/Maintain Documentation | |
Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Data and Information Management | |
Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Data and Information Management | |
Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Data and Information Management | |
Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Data and Information Management | |
Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Data and Information Management | |
Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Data and Information Management | |
Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Data and Information Management | |
Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Data and Information Management | |
Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Process or Activity | |
Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Business Processes | |
Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; § 367.3625 (1)(f) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; § 367.3625 (1)(g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [The controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629. § 367.3623 (1)(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
Provide products or services per customer requests. CC ID 08893 [Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; § 367.3625 (1)(e)] | Third Party and supply chain oversight | Business Processes |