702 Ky. Admin. Regs. 1:170

Current through Register Vol. 51, No. 6, December 1, 2024
Section 702 KAR 1:170 - School district data security and breach procedures

RELATES TO: KRS 61.931, 61.932, 61.933

NECESSITY, FUNCTION, AND CONFORMITY: KRS 156.070 authorizes the Kentucky Board of Education (KBE) to promulgate administrative regulations necessary for the efficient management, control, and operation of the schools and programs under its jurisdiction. KRS 61.932(1)(b) specifically requires the KBE to promulgate administrative regulations establishing requirements and standards for the reasonable security and breach investigation procedures and practices established and implemented by public school districts. This administrative regulation establishes the requirements and standards for school district reasonable security and breach investigation procedures and practices.

Section 1. Definitions.
(1) "Personal information" is defined by KRS 61.931(6).
(2) "Reasonable security and breach investigation procedures and practices" is defined by KRS 61.931(8).
Section 2. Best Practice Guide for School District Personal Information Reasonable Security. The department shall at least annually provide school districts best practice guidance for personal information reasonable security. The current department guidance is provided in the Data Security and Breach Notification Best Practice Guide, which is incorporated by reference into this administrative regulation. School districts shall not be required to adopt the security practices included in this guidance.
Section 3. Annual Public School District Acknowledgement of Best Practices. Each public school district shall review and consider, in light of the needs of reasonable security, the most recent best practice guidance, including the Data Security and Breach Notification Best Practice Guide, for personal information reasonable security. Each public school district shall acknowledge to its own local board during a public board meeting prior to August 31 of each year, that the district has reviewed this guidance and implemented the best practices that meet the needs of personal information reasonable security in that district.
Section 4. Annual Department Acknowledgement of Best Practices. The department shall review and consider, in light of the needs of reasonable security, the most recent best practice guidance for personal information reasonable security. The department shall acknowledge to the KBE, by August 31 of each year, that the department has reviewed this guidance and implemented the best practices that meet the needs of personal information reasonable security for the department.
Section 5. Data Breach Notification to the Department. Any public school district that determines or is notified of a security breach relating to personal information collected, maintained, or stored by the school district or by a nonaffiliated third party on behalf of the school district shall provide the notification of the security breach to the department required by KRS 61.933, pursuant to the procedure included in the Data Security and Breach Notification Best Practice Guide.
Section 6. Incorporation by Reference.
(1) "Data Security and Breach Notification Best Practice Guide", September 2015, is incorporated by reference.
(2) This material may be inspected, copied, or obtained, subject to applicable copyright law, at the Department of Education, 500 Mero Street, First Floor, Capital Plaza Tower, Frankfort, Kentucky 40601, Monday through Friday, 8 a.m. to 4:30 p.m.

702 KAR 1:170

42 Ky.R. 1069; 1735; eff. 1-4-2016; Cert. eff. 8-9-2022.

STATUTORY AUTHORITY: KRS 61.932(1)(b), 156.070