61.931 Definitions for KRS 61.931 to 61.934. As used in KRS 61.931 to 61.934: (1) "Agency" means: (a) The executive branch of state government of the Commonwealth of Kentucky; (b) Every county, city, municipal corporation, urban-county government, charter county government, consolidated local government, and unified local government; (c) Every organizational unit, department, division, branch, section, unit, office, administrative body, program cabinet, bureau, board, commission, committee, subcommittee, ad hoc committee, council, authority, public agency, instrumentality, interagency body, special purpose governmental entity, or public corporation of an entity specified in paragraph (a) or (b) of this subsection or created, established, or controlled by an entity specified in paragraph (a) or (b) of this subsection; (d) Every public school district in the Commonwealth of Kentucky; and (e) Every public institution of postsecondary education, including every public university in the Commonwealth of Kentucky and public college of the entire Kentucky Community and Technical College System; (2) "Commonwealth Office of Technology" means the office established by KRS 42.724; (3) "Encryption" means the conversion of data using technology that: (a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the Federal Information Processing Standards: and (b) Renders the data indecipherable without the associated cryptographic key to decipher the data; (4) "Law enforcement agency" means any lawfully organized investigative agency, sheriff's office, police unit, or police force of federal, state, county, urban-county government, charter county, city, consolidated local government, unified local government, or any combination of these entities, responsible for the detection of crime and the enforcement of the general criminal federal and state laws; (5) "Nonaffiliated third party" means any person that: (a) Has a contract or agreement with an agency; and (b) Receives personal information from the agency pursuant to the contract or agreement; (6) "Personal information" means an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements: (a) An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account; (b) A Social Security number; (c) A taxpayer identification number that incorporates a Social Security number; (d) A driver's license number, state identification card number, or other individual identification number issued by any agency; (e) A passport number or other identification number issued by the United States government; or (f) Individually identifiable health information as defined in 45 C.F.R. sec. 160.103, except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. sec. 1232g; (7) (a) "Public record or record," as established by KRS 171.410, means all books, papers, maps, photographs, cards, tapes, disks, diskettes, recordings, and other documentary materials, regardless of physical form or characteristics, which are prepared, owned, used, in the possession of, or retained by a public agency. (b) "Public record" does not include any records owned by a private person or corporation that are not related to functions, activities, programs, or operations funded by state or local authority; (8) "Reasonable security and breach investigation procedures and practices" means data security procedures and practices developed in good faith and set forth in a written security information policy; and (9) (a) "Security breach" means: 1. 2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals. (b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure. Effective: January 1, 2015 History: Created 2014 Ky. Acts ch. 74, sec. 1, effective January 1, 2015. Legislative Research Commission Note (1/1/2015). 2014 Ky. Acts ch. 74, sec. 10 provided that "the provisions of this Act shall not impact the provisions of KRS 61.870 to 61.884." That proviso applies to this statute as created in Section 1 of that Act.