Title 200 | Chapter 001 | Regulation 016
SUPERSEDED
This document is no longer current.
FINANCE AND ADMINISTRATION CABINET
Commonwealth Office of Technology
(New Administrative Regulation)
200 KAR 1:016.Data breach notification forms.
Section 1.
Administrative – Required Forms.(1)
Finance Form FAC-001, Suspected and Determined Breach Notification Form, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party to provide written notification of a suspected or determined security breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party.(2)
Finance Form FAC-002, Delay Notification Record, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party if the notification of a suspected or determined breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party has been delayed pursuant to a request from a law enforcement agency or with the approval of the Office of the Attorney General.Section 2.
Incorporation by Reference.(1)
The following materials are incorporated by reference:(a)
Finance Form FAC-001, Suspected and Determined Breach Notification Form, Effective Date June 15, 2022; and(b)
Finance Form FAC-002, Delay Notification Record, Effective Date June 15, 2022.(2)
This material may be inspected, copied, or obtained, subject to applicable copyright law, at the Commonwealth Office of Technology, 101 Cold Harbor Drive, Frankfort, Kentucky 40601, Monday through Friday, 8 a.m. to 5 p.m., and on the Finance and Administration Cabinet's Web site, https://finance.ky.gov/office-of-the-secretary/Pages/finance-forms.aspx.RUTH DAY, Chief Information Officer
HOLLY M. JOHNSON, Secretary
APPROVED BY AGENCY: June 20, 2022
FILED WITH LRC: June 15, 2022 at noon
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on August 23, 2022, at 10 a.m. Eastern Time, in Room C-117, Kentucky Transportation Cabinet Building, 200 Mero Street, Frankfort, Kentucky 40622. Individuals interested in being heard at this hearing shall notify this agency in writing at least five (5) workdays prior to the hearing of their intent to attend. If no notification of intent to attend the hearing is received by the required date, the hearing may be cancelled. This hearing is open to the public. Any person who wishes to be heard will be given an opportunity to comment on this proposed administrative regulation. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted until August 31, 2022. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Robin Goodlett, Administrative Specialist III, Office of General Counsel, Finance and Administration Cabinet, 200 Mero Street, 5th Floor, Frankfort, Kentucky 40622, phone (502) 564-6660, fax (502) 564-9875, email RobinM.Goodlett@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Robin Goodlett
(1) Provide a brief summary of:
(a) What this administrative regulation does:
KRS 42.726(2)(b) authorizes the Finance and Administration Cabinet, Commonwealth Office of Technology (“COT”), to promulgate regulations relating to COT’s duties. KRS 61.933 specifically authorizes COT to prescribe forms to be used by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information has occurred with respect to personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency. KRS 61.932 specifically authorizes COT to prescribe forms to be used when a law enforcement agency has requested a delay in notification of a security breach to allow for investigation of the suspected or determined breach. This regulation prescribes those forms.
(b) The necessity of this administrative regulation:
This regulation is necessary in order for COT to satisfy KRS Chapter 13A.110 which states that forms required to be submitted by a regulated entity shall be included in an administrative regulation as well as the specific directives of KRS 61.932 and KRS 61.933.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
KRS 61.932 and KRS 61.933 specifically direct COT to prescribe these forms.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
The forms prescribed herein will provide necessary notice to agencies, law enforcement, the Auditor of Public Accounts and the Attorney General as required by House Bill 5 of the 2014 Regular Session of the General Assembly.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
N/A.
(b) The necessity of the amendment to this administrative regulation:
N/A.
(c) How the amendment conforms to the content of the authorizing statutes:
N/A.
(d) How the amendment will assist in the effective administration of the statutes:
N/A.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
All state agencies or private entities (identified as nonaffiliated third parties) which maintain or otherwise possess personal information for state agencies will be affected.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
Affected entities must complete the prescribed forms when they suspect or determine that a breach of personal information has occurred.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
There will be a minimal cost to complete the forms.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
Affected entities will comply with the requirements of KRS 61.931-934.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
COT will not incur any initial costs as the result of this regulation.
(b) On a continuing basis:
COT will not incur any additional, continuing costs as the result of this regulation.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
COT agency funds.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
This administrative regulation does not require an increase in fees or funding.
(8) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
This administrative regulation does not directly or indirectly establish or increase any fees.
(9) TIERING: Is tiering applied?
Tiering is not applied.
FISCAL NOTE
(1) What units, parts, or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
No local government entities will be affected, but COT and any state agency which suspects or experiences a security breach of personal information will be required to submit the required forms.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 42.726; KRS 61.932; and KRS 61.933.
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
None.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
None.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
None.
(c) How much will it cost to administer this program for the first year?
None.
(d) How much will it cost to administer this program for subsequent years?
None.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Expenditures (+/-):
Other Explanation:
(4) Estimate the effect of this administrative regulation on the expenditures and cost savings of regulated entities for the first full year the administrative regulation is to be in effect.
(a) How much cost savings will this administrative regulation generate for the regulated entities for the first year?
(b) How much cost savings will this administrative regulation generate for the regulated entities for subsequent years?
(c) How much will it cost the regulated entities for the first year?
(d) How much will it cost the regulated entities for subsequent years?
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Cost Savings (+/-):
Expenditures (+/-):
Other Explanation:
(5) Explain whether this administrative regulation will have a major economic impact, as defined below.
FINANCE AND ADMINISTRATION CABINET
Commonwealth Office of Technology
(New Administrative Regulation)
200 KAR 1:016.Data breach notification forms.
Section 1.
Administrative – Required Forms.(1)
Finance Form FAC-001, Suspected and Determined Breach Notification Form, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party to provide written notification of a suspected or determined security breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party.(2)
Finance Form FAC-002, Delay Notification Record, or a form substantially similar thereto, shall be completed by a state agency or nonaffiliated third party if the notification of a suspected or determined breach of personal information collected, maintained, or stored by the agency or nonaffiliated third party has been delayed pursuant to a request from a law enforcement agency or with the approval of the Office of the Attorney General.Section 2.
Incorporation by Reference.(1)
The following materials are incorporated by reference:(a)
Finance Form FAC-001, Suspected and Determined Breach Notification Form, Effective Date June 15, 2022; and(b)
Finance Form FAC-002, Delay Notification Record, Effective Date June 15, 2022.(2)
This material may be inspected, copied, or obtained, subject to applicable copyright law, at the Commonwealth Office of Technology, 101 Cold Harbor Drive, Frankfort, Kentucky 40601, Monday through Friday, 8 a.m. to 5 p.m., and on the Finance and Administration Cabinet's Web site, https://finance.ky.gov/office-of-the-secretary/Pages/finance-forms.aspx.RUTH DAY, Chief Information Officer
HOLLY M. JOHNSON, Secretary
APPROVED BY AGENCY: June 20, 2022
FILED WITH LRC: June 15, 2022 at noon
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on August 23, 2022, at 10 a.m. Eastern Time, in Room C-117, Kentucky Transportation Cabinet Building, 200 Mero Street, Frankfort, Kentucky 40622. Individuals interested in being heard at this hearing shall notify this agency in writing at least five (5) workdays prior to the hearing of their intent to attend. If no notification of intent to attend the hearing is received by the required date, the hearing may be cancelled. This hearing is open to the public. Any person who wishes to be heard will be given an opportunity to comment on this proposed administrative regulation. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted until August 31, 2022. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Robin Goodlett, Administrative Specialist III, Office of General Counsel, Finance and Administration Cabinet, 200 Mero Street, 5th Floor, Frankfort, Kentucky 40622, phone (502) 564-6660, fax (502) 564-9875, email RobinM.Goodlett@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Robin Goodlett
(1) Provide a brief summary of:
(a) What this administrative regulation does:
KRS 42.726(2)(b) authorizes the Finance and Administration Cabinet, Commonwealth Office of Technology (“COT”), to promulgate regulations relating to COT’s duties. KRS 61.933 specifically authorizes COT to prescribe forms to be used by state agencies and nonaffiliated third parties when they suspect or have determined that a breach of personal information has occurred with respect to personal information that the state agency or nonaffiliated third party maintains or otherwise possesses on behalf of another agency. KRS 61.932 specifically authorizes COT to prescribe forms to be used when a law enforcement agency has requested a delay in notification of a security breach to allow for investigation of the suspected or determined breach. This regulation prescribes those forms.
(b) The necessity of this administrative regulation:
This regulation is necessary in order for COT to satisfy KRS Chapter 13A.110 which states that forms required to be submitted by a regulated entity shall be included in an administrative regulation as well as the specific directives of KRS 61.932 and KRS 61.933.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
KRS 61.932 and KRS 61.933 specifically direct COT to prescribe these forms.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
The forms prescribed herein will provide necessary notice to agencies, law enforcement, the Auditor of Public Accounts and the Attorney General as required by House Bill 5 of the 2014 Regular Session of the General Assembly.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
N/A.
(b) The necessity of the amendment to this administrative regulation:
N/A.
(c) How the amendment conforms to the content of the authorizing statutes:
N/A.
(d) How the amendment will assist in the effective administration of the statutes:
N/A.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
All state agencies or private entities (identified as nonaffiliated third parties) which maintain or otherwise possess personal information for state agencies will be affected.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
Affected entities must complete the prescribed forms when they suspect or determine that a breach of personal information has occurred.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
There will be a minimal cost to complete the forms.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
Affected entities will comply with the requirements of KRS 61.931-934.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
COT will not incur any initial costs as the result of this regulation.
(b) On a continuing basis:
COT will not incur any additional, continuing costs as the result of this regulation.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
COT agency funds.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
This administrative regulation does not require an increase in fees or funding.
(8) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
This administrative regulation does not directly or indirectly establish or increase any fees.
(9) TIERING: Is tiering applied?
Tiering is not applied.
FISCAL NOTE
(1) What units, parts, or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
No local government entities will be affected, but COT and any state agency which suspects or experiences a security breach of personal information will be required to submit the required forms.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 42.726; KRS 61.932; and KRS 61.933.
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
None.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
None.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
None.
(c) How much will it cost to administer this program for the first year?
None.
(d) How much will it cost to administer this program for subsequent years?
None.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Expenditures (+/-):
Other Explanation:
(4) Estimate the effect of this administrative regulation on the expenditures and cost savings of regulated entities for the first full year the administrative regulation is to be in effect.
(a) How much cost savings will this administrative regulation generate for the regulated entities for the first year?
(b) How much cost savings will this administrative regulation generate for the regulated entities for subsequent years?
(c) How much will it cost the regulated entities for the first year?
(d) How much will it cost the regulated entities for subsequent years?
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Cost Savings (+/-):
Expenditures (+/-):
Other Explanation:
(5) Explain whether this administrative regulation will have a major economic impact, as defined below.