Download as PDF
380.070 Debt adjuster to take reasonable measures to protect debtor's
personal information.
(1)
(2)
A debt adjuster shall take reasonable measures to:
(a) Ensure the security and confidentiality of a debtor's personal information;
(b) Protect against any anticipated threats or hazards to the security or
integrity of a debtor's personal information; and
(c) Protect against unauthorized access to or use of a debtor's personal
information.
The reasonable measures required by this section shall include, at a minimum:
(a) Design and implementation of a comprehensive information security
program that:
1.
Is written in one (1) or more readily accessible parts;
2.
Contains administrative, technical, and physical safeguards that are
appropriate to the size and complexity of the debt adjuster, the
nature and scope of the debt adjuster's activities, and the sensitivity
of any personal information at issue;
3.
Designates one (1) or more employees to coordinate compliance
with the information security program; and
4.
Identifies reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of the personal information of a
debtor that could result in the unauthorized access to or use of the
information, and assesses the sufficiency of any safeguards in place
to control these risks. At a minimum, the risk assessment required
by this subparagraph shall include consideration of risks in each
relevant area of the debt adjuster's operation, including employee
training and management, information systems, information
processing, information storage, information transmission,
information disposal, and detecting, preventing, and responding to
failures to comply with the information security program.
(b) Design and implementation of information safeguards to control the risks
identified by the risk assessment required by this subsection, as well as
regular testing or other monitoring of the effectiveness of the safeguards
of key controls, systems, and procedures;
(c) Requirements for regular training of employees who will or may have
access to records containing personal information of debtors regarding
compliance with the information security program required by this
subsection;
(d) Oversight of service providers to whom personal information of a debtor
will be disclosed, by taking reasonable steps to select and retain service
providers that are capable of maintaining appropriate safeguards for the
personal information at issue, as well as requiring service providers, by
contract, to implement and maintain those safeguards;
(e) Evaluation and adjustment of the information security program in light of
the results of testing and monitoring, any material changes to the
operation or business arrangements of the debt adjuster, or any other
(f)
circumstances that the debt adjuster knows or has reason to know may
have a material impact on compliance with the information security
program; and
A requirement that when records containing personal information of a
debtor are disposed of the records shall be shredded, erased, or
otherwise modified so the personal information is made unreadable or
indecipherable through any means.
Effective:July 15, 2010
History: Created 2010 Ky. Acts ch. 86, sec. 7, effective July 15, 2010.
Disclaimer: These codes may not be the most recent version. Kentucky may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.