(1) A debt adjuster shall take reasonable measures to: (a) Ensure the security and confidentiality of a debtor's personal information; (b) Protect against any anticipated threats or hazards to the security or integrity of a debtor's personal information; and (c) Protect against unauthorized access to or use of a debtor's personal information. (2) The reasonable measures required by this section shall include, at a minimum: (a) Design and implementation of a comprehensive information security program that: 1. Is written in one (1) or more readily accessible parts; 2. Contains administrative, technical, and physical safeguards that are appropriate to the size and complexit y of the debt adjuster, the nature and scope of the debt adjuster's activities, and the sensitivity of any personal information at issue; 3. Designates one (1) or more employees to coordinate compliance with the information security program; and 4. Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the personal information of a debtor that could result in the unauthorized access to or use of the information, and assesses the sufficiency of any sa feguards in place to control these risks. At a minimum, the risk assessment required by this subparagraph shall include consideration of risks in each relevant area of the debt adjuster's operation, including employee training and management, information s ystems, information processing, information storage, information transmission, information disposal, and detecting, preventing, and responding to failures to comply with the information security program. (b) Design and implementation of information safegua rds to control the risks identified by the risk assessment required by this subsection, as well as regular testing or other monitoring of the effectiveness of the safeguards of key controls, systems, and procedures; (c) Requirements for regular training of employees who will or may have access to records containing personal information of debtors regarding compliance with the information security program required by this subsection; (d) Oversight of service providers to whom personal information of a debtor will be disclosed, by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the personal information at issue, as well as requiring service providers, by contract, to implement and maintain those safeguards; (e) Evaluation and adjustment of the information security program in light of the results of testing and monitoring, any material changes to the operation or business arrangements of the debt adjuster, or any other circumstances that the debt adjuster knows or has reason to know may have a material impact on compliance with the information security program; and (f) A requirement that when records containing personal information of a debtor are disposed of the records shall be shredded, erased, or otherwise modified so the personal information is made unreadable or indecipherable through any means.
‹ Prev All Kentucky sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.