Kentucky Statutes 380.070 – Debt adjuster to take reasonable measures to protect debtor’s personal information
Current as of: 2024 | Check for updates
|
Other versions
(1) A debt adjuster shall take reasonable measures to:
(a) Ensure the security and confidentiality of a debtor‘s personal information;
(b) Protect against any anticipated threats or hazards to the security or integrity of a debtor’s personal information; and
(c) Protect against unauthorized access to or use of a debtor’s personal information.
(2) The reasonable measures required by this section shall include, at a minimum:
(a) Design and implementation of a comprehensive information security program that:
1. Is written in one (1) or more readily accessible parts;
2. Contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the debt adjuster, the nature and scope of the debt adjuster’s activities, and the sensitivity of any personal information at issue;
3. Designates one (1) or more employees to coordinate compliance with the information security program; and
4. Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the personal information of a debtor that could result in the unauthorized access to or use of the information, and assesses the sufficiency of any safeguards in place to control these risks. At a minimum, the risk assessment required by this subparagraph shall include consideration of risks in each relevant area of the debt adjuster’s operation, including employee training and management, information systems, information processing, information storage, information transmission, information disposal, and detecting, preventing, and responding to failures to comply with the information security program.
(b) Design and implementation of information safeguards to control the risks identified by the risk assessment required by this subsection, as well as regular testing or other monitoring of the effectiveness of the safeguards of key controls, systems, and procedures;
(c) Requirements for regular training of employees who will or may have access to records containing personal information of debtors regarding compliance with the information security program required by this subsection;
(d) Oversight of service providers to whom personal information of a debtor will be disclosed, by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the personal information at issue, as well as requiring service providers, by contract, to implement and maintain those safeguards;
(e) Evaluation and adjustment of the information security program in light of the
results of testing and monitoring, any material changes to the operation or business arrangements of the debt adjuster, or any other circumstances that the debt adjuster knows or has reason to know may have a material impact on compliance with the information security program; and
(f) A requirement that when records containing personal information of a debtor are disposed of the records shall be shredded, erased, or otherwise modified so the personal information is made unreadable or indecipherable through any means.
Effective: July 15, 2010
History: Created 2010 Ky. Acts ch. 86, sec. 7, effective July 15, 2010.
(a) Ensure the security and confidentiality of a debtor‘s personal information;
Terms Used In Kentucky Statutes 380.070
- Contract: A legal written agreement that becomes binding when signed.
- Debt adjuster: means a person engaged in the business of debt adjusting. See Kentucky Statutes 380.010
- Debtor: means an individual who resides in Kentucky and is indebted to a creditor or creditors, including two (2) or more individuals who are jointly and severally, or jointly or severally, indebted to a creditor or creditors. See Kentucky Statutes 380.010
- Oversight: Committee review of the activities of a Federal agency or program.
- Personal information: means any information:
1. See Kentucky Statutes 380.010
(b) Protect against any anticipated threats or hazards to the security or integrity of a debtor’s personal information; and
(c) Protect against unauthorized access to or use of a debtor’s personal information.
(2) The reasonable measures required by this section shall include, at a minimum:
(a) Design and implementation of a comprehensive information security program that:
1. Is written in one (1) or more readily accessible parts;
2. Contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the debt adjuster, the nature and scope of the debt adjuster’s activities, and the sensitivity of any personal information at issue;
3. Designates one (1) or more employees to coordinate compliance with the information security program; and
4. Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the personal information of a debtor that could result in the unauthorized access to or use of the information, and assesses the sufficiency of any safeguards in place to control these risks. At a minimum, the risk assessment required by this subparagraph shall include consideration of risks in each relevant area of the debt adjuster’s operation, including employee training and management, information systems, information processing, information storage, information transmission, information disposal, and detecting, preventing, and responding to failures to comply with the information security program.
(b) Design and implementation of information safeguards to control the risks identified by the risk assessment required by this subsection, as well as regular testing or other monitoring of the effectiveness of the safeguards of key controls, systems, and procedures;
(c) Requirements for regular training of employees who will or may have access to records containing personal information of debtors regarding compliance with the information security program required by this subsection;
(d) Oversight of service providers to whom personal information of a debtor will be disclosed, by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the personal information at issue, as well as requiring service providers, by contract, to implement and maintain those safeguards;
(e) Evaluation and adjustment of the information security program in light of the
results of testing and monitoring, any material changes to the operation or business arrangements of the debt adjuster, or any other circumstances that the debt adjuster knows or has reason to know may have a material impact on compliance with the information security program; and
(f) A requirement that when records containing personal information of a debtor are disposed of the records shall be shredded, erased, or otherwise modified so the personal information is made unreadable or indecipherable through any means.
Effective: July 15, 2010
History: Created 2010 Ky. Acts ch. 86, sec. 7, effective July 15, 2010.