BNA Case Posting Request Document

AN ACT relating to the safety and security of personal information held by public agencies.
SECTION 1. A NEW SECTION OF KRS CHAPTER 61 IS CREATED TO READ AS FOLLOWS:
Be it enacted by the General Assembly of the Commonwealth of Kentucky:
As used in Sections 1 to 4 of this Act:
(1) "Agency" means:
(a) The executive branch of state government of the Commonwealth of Kentucky;
(b) Every county, city, municipal corporation, urban-county government, charter county government, consolidated local government, and unified local government;
(c) Every organizational unit, department, division, branch, section, unit, office, administrative body, program cabinet, bureau, board, commission, committee, subcommittee, ad hoc committee, council, authority, public agency, instrumentality, interagency body, special purpose governmental entity, or public corporation of an entity specified in paragraph (a) or (b) of this subsection or created, established, or controlled by an entity specified in paragraph (a) or (b) of this subsection;
(d) Every public school district in the Commonwealth of Kentucky; and
(e) Every public institution of postsecondary education, including every public university in the Commonwealth of Kentucky and public college of the entire Kentucky Community and Technical College System;
(2) "Commonwealth Office of Technology" means the office established by KRS 42.724;
(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the Federal Information Processing Standards: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(4) "Law enforcement agency" means any lawfully organized investigative agency, sheriff's office, police unit, or police force of federal, state, county, urban-county government, charter county, city, consolidated local government, unified local government, or any combination of these entities, responsible for the detection of crime and the enforcement of the general criminal federal and state laws;
(5) "Nonaffiliated third party" means any person that:
(a) Has a contract or agreement with an agency; and
(b) Receives personal information from the agency pursuant to the contract or agreement;
(6) "Personal information" means an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
(a) An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
(b) A Social Security number;
(c) A taxpayer identification number that incorporates a Social Security number;
(d) A driver's license number, state identification card number, or other individual identification number issued by any agency;
(e) A passport number or other identification number issued by the United States government; or
(f) Individually identifiable health information as defined in 45 C.F.R. sec. 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. sec. 1232g;
(7) (a) "Public record or record," as established by KRS 171.410, means all books, papers, maps, photographs, cards, tapes, disks, diskettes, recordings, and other documentary materials, regardless of physical form or characteristics, which are prepared, owned, used, in the possession of or retained by a public agency.
(b) "Public record" does not include any records owned by a private person or corporation that are not related to functions, activities, programs or operations funded by state or local authority;
(8) "Reasonable security and breach investigation procedures and practices" means data security procedures and practices developed in good faith and set forth in a written security information policy; and
(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.
SECTION 2. A NEW SECTION OF KRS CHAPTER 61 IS CREATED TO READ AS FOLLOWS:
(1) (a) An agency or nonaffiliated third party that maintains or otherwise possesses personal information, regardless of the form in which the personal information is maintained, shall implement, maintain, and update security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches.
(b) Reasonable security and breach investigation procedures and practices established and implemented by organizational units of the executive branch of state government shall be in accordance with relevant enterprise policies established by the Commonwealth Office of Technology. Reasonable security and breach investigation procedures and practices established and implemented by units of government listed under subsection (1)(b) of Section 1 of this Act and subsection (1)(c) of Section 1 of this Act that are not organizational units of the executive branch of state government shall be in accordance with policies established by the Department for Local Government. The Department for Local Government shall consult with public entities as defined in KRS 65.310 in the development of policies establishing reasonable security and breach investigation procedures and practices for units of local government pursuant to this subsection. Reasonable security and breach investigation procedures and practices established and implemented by public school districts listed under subsection (1)(d) of Section 1 of this Act shall be in accordance with administrative regulations promulgated by the Kentucky Board of Education. Reasonable security and breach investigation procedures and practices established and implemented by educational entities listed under subsection (1)(e) of Section 1 of this Act shall be in accordance with policies established by the Council on Postsecondary Education. The Commonwealth Office of Technology shall, upon request of an agency, make available technical assistance for the establishment and implementation of reasonable security and breach investigation procedures and practices.
(c) 1. If an agency is subject to any additional requirements under the Kentucky Revised Statutes, or under federal law, protocols or agreements relating to the protection and privacy of personal information, the agency shall comply with these additional requirements, in addition to the requirements of Sections 1 to 4 of this Act.
2. If a nonaffiliated third party is required by federal law or regulation to conduct security breach investigations or to make notifications of security breaches, or both, as a result of the nonaffiliated third party's unauthorized disclosure of one (1) or more data elements of personal information that is the same as one (1) or more of the data elements of personal information listed in subsection (6)(a) to (f) of Section 1 of this Act, the nonaffiliated third party shall meet the requirements of Sections 1 to 4 of this Act by providing to the agency a copy of any and all reports and investigations relating to such security breach investigations or notifications that are required to be made by federal law or regulations. This subparagraph of this paragraph shall not apply if the security breach includes the unauthorized disclosure of data elements that are not covered by federal law or regulation but are listed in subsection (6)(a) to (f) of Section 1 of this Act.
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.
(b) 1. A nonaffiliated third party that is provided access to personal information by an agency, or that collects and maintains personal information on behalf of an agency shall notify the agency in the most expedient time possible and without unreasonable delay but within seventy-two (72) hours of determination of a security breach relating to the personal information in the possession of the nonaffiliated third party. The notice to the agency shall include all information the nonaffiliated third party has with regard to the security breach at the time of notification. Agreements referenced in subsection (2)(a) of this section shall specify how the cost of the notification and investigation requirements under Section 3 of this Act are to be apportioned when a security breach is suffered by the agency or nonaffiliated third party.
2. The notice required by subparagraph 1. of this paragraph may be delayed if a law enforcement agency notifies the nonaffiliated third party that notification will impede a criminal investigation or jeopardize homeland or national security. If notice is delayed pursuant to this paragraph, notification shall be given as soon as reasonably feasible by the nonaffiliated third party to the agency with which the nonaffiliated third party is contracting. The agency shall then record the notification in writing on a form developed by the Commonwealth Office of Technology that the notification will not impede a criminal investigation and will not jeopardize homeland or national security. The Commonwealth Office of Technology shall promulgate administrative regulations under Sections 1 to 4 of this Act regarding the content of the form.
SECTION 3. A NEW SECTION OF KRS CHAPTER 61 IS CREATED TO READ AS FOLLOWS:
(1) (a) Any agency that collects, maintains, or stores personal information that determines or is notified of a security breach relating to personal information collected, maintained, or stored by the agency or by a nonaffiliated third-party on behalf of the agency shall as soon as possible, but within seventy-two (72) hours of determination or notification of the security breach:
1. Notify the Commissioner of the Kentucky State Police, the Auditor of Public Accounts, and the Attorney General. In addition, an agency shall notify the Secretary of the Finance and Administration Cabinet or his or her designee if an agency is an organizational unit of the executive branch of state government; notify the Commissioner of the Department for Local Government if the agency is a unit of government listed in subsection (1)(b) of Section 1 of this Act or subsection (1)(c) of Section 1 of this Act that is not an organizational unit of the executive branch of state government; notify the Commissioner of the Kentucky Department of Education if the agency is a public school district listed in subsection (1)(d) of Section 1 of this Act; and notify the President of the Council on Postsecondary Education if the agency is an educational entity listed under subsection (1)(c) of Section 1 of this Act. Notification shall be in writing on a form developed by the Commonwealth Office of Technology. The Commonwealth Office of Technology shall promulgate administrative regulations under Sections 1 to 4 of this Act regarding the contents of the form; and
2. Begin conducting a reasonable and prompt investigation in accordance with the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section to determine whether the security breach has resulted in or is likely to result in the misuse of the personal information.
(b) Upon conclusion of the agency's investigation:
1. If the agency determined that a security breach has occurred and that the misuse of personal information has occurred or is reasonably likely to occur, the agency shall:
a. Within forty-eight (48) hours of completion of the investigation, notify in writing all officers listed in subparagraph (1)(a)1. of this section, and the Commissioner of the Department for Libraries and Archives, unless the provisions of subsection (3) of this section apply;
b. Within thirty-five (35) days of providing the notifications required by subparagraph a. of this paragraph, notify all individuals impacted by the security breach as provided in subsection (2) of this section, unless the provisions of subsection (3) of this section apply; and
c. If the number of individuals to be notified exceeds one thousand (1,000), the agency shall notify, at least seven (7) days prior to providing notice to individuals under subparagraph b. of this paragraph, the Commonwealth Office of Technology if the agency is an organizational unit of the executive branch of state government, the Department for Local Government if the agency is a unit of government listed under subsection (1)(b) of Section 1 of this Act or subsection (1)(c) of Section 1 of this Act that is not an organizational unit of the executive branch of state government, the Kentucky Department of Education if the agency is a public school district listed under subsection (1)(d) of Section 1 of this Act, or the Council on Postsecondary Education if the agency is an educational entity listed under subsection (1)(e) of Section 1 of this Act; and notify all consumer credit reporting agencies included on the list maintained by the Office of the Attorney General that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. sec. 1681a(p), of the timing, distribution, and content of the notice; or
2. If the agency determines that the misuse of personal information has not occurred and is not likely to occur, the agency is not required to give notice, but shall maintain records that reflect the basis for its decision for a retention period set by the State Archives and Records Commission as established by KRS 171.420. The agency shall notify the appropriate entities listed in subsection (1)(a)1. of this section that the misuse of personal information has not occurred.
(2) (a) The provisions of this subsection establish the requirements for providing notice to individuals under subsection (1)(b)1.b. of this section. Notice shall be provided as follows:
1. Conspicuous posting of the notice on the Web site of the agency;
2. Notification to regional or local media if the security breach is localized, and also to major statewide media if the security breach is widespread, including broadcast media, such as radio and television; and
3. Personal communication to individuals whose data has been breached using the method listed in subdivisions a., b., and c. of this subparagraph that the agency believes is most likely to result in actual notification to those individuals, if the agency has the information available:
a. In writing, sent to the most recent address for the individual as reflected in the records of the agency;
b. By electronic mail, sent to the most recent electronic mail address for the individual as reflected in the records of the agency, unless the individual has communicated to the agency in writing that they do not want email notification; or
c. By telephone, to the most recent telephone number for the individual as reflected in the records of the agency.
(b) The notice shall be clear and conspicuous, and shall include:
1. To the extent possible, a description of the categories of information that were subject to the security breach, including the elements of personal information that were or were believed to be acquired;
2. Contact information for the notifying agency, including the address, telephone number, and toll-free number if a toll-free number is maintained;
3. A description of the general acts of the agency, excluding disclosure of defenses used for the protection of information, to protect the personal information from further security breach; and
4. The toll-free numbers, addresses, and Web site addresses, along with a statement that the individual can obtain information from the following sources about steps the individual may take to avoid identity theft, for:
a. The major consumer credit reporting agencies;
b. The Federal Trade Commission; and
c. The Office of the Kentucky Attorney General.
(c) The agency providing notice pursuant to this subsection shall cooperate with any investigation conducted by the agencies notified under subsection (1)(a) of this section and with reasonable requests from the Office of Consumer Protection of the Office of the Attorney General, consumer credit reporting agencies, and recipients of the notice, to verify the authenticity of the notice.
(3) (a) The notices required by subsection (1) of this section shall not be made if, after consultation with a law enforcement agency, the agency receives a written request from a law enforcement agency for a delay in notification because the notice may impede a criminal investigation. The written request may apply to some or all of the required notifications, as specified in the written request from the law enforcement agency. Upon written notification from the law enforcement agency that the criminal investigation has been completed, or that the sending of the required notifications will no longer impede a criminal investigation, the agency shall send the notices required by subsection (1)(b)1. of this section.
(b) The notice required by subsection (1)(b)1.b. of this section may be delayed if the agency determines that measures necessary to restore the reasonable integrity of the data system cannot be implemented within the timeframe established by subsection (1)(b)1.b. of this section, and the delay is approved in writing by the Office of the Attorney General. If notice is delayed pursuant to this subsection, notice shall be made immediately after actions necessary to restore the integrity of the data system have been completed.
(4) Any waiver of the provisions of this section is contrary to public policy and shall be void and unenforceable.
(5) This section shall not apply to:
(a) Personal information that has been redacted;
(b) Personal information disclosed to a federal, state, or local government entity, including a law enforcement agency or court, or their agents, assigns, employees, or subcontractors, to investigate or conduct criminal investigations and arrests, delinquent tax assessments, or to perform any other statutory duties and responsibilities;
(c) Personal information that is publicly and lawfully made available to the general public from federal, state, or local government records;
(d) Personal information that an individual has consented to have publicly disseminated or listed; or
(e) To any document recorded in the records of either a county clerk or circuit clerk of a county, or in the records of a United States District Court.
(6) The Office of the Attorney General may bring an action in the Franklin Circuit Court against an agency or a nonaffiliated third party that is not an agency, or both, for injunctive relief, and for other legal remedies against a nonaffiliated third party that is not an agency to enforce the provisions of Sections 1 to 4 of this Act. Nothing in Sections 1 to 4 of this Act shall create a private right of action.
SECTION 4. A NEW SECTION OF KRS CHAPTER 61 IS CREATED TO READ AS FOLLOWS:
(1) The legislative and judicial branches of state government shall implement, maintain, and update reasonable security and breach investigation procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches consistent with Sections 1 to 4 of this Act.
(2) The Department for Libraries and Archives shall establish procedures for the appropriate disposal or destruction of records that include personal information pursuant to the authority granted the Department for Libraries and Archives under Section 8 of this Act.
Section 5. KRS 42.722 is amended to read as follows:
As used in KRS 42.720 to 42.742[, unless the context requires otherwise]:
(1) "Communications" or "telecommunications" means any transmission, emission, or reception of signs, signals, writings, images, and sounds of intelligence of any nature by wire, radio, optical, or other electromagnetic systems, and includes all facilities and equipment performing these functions;
(2) "Geographic information system" or "GIS" means a computerized database management system for the capture, storage, retrieval, analysis, and display of spatial or locationally defined data;
(3) "Information resources" means the procedures, equipment, and software that are designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel;
(4) "Information technology" means data processing and telecommunications hardware, software, services, supplies, facilities, maintenance, and training that are used to support information processing and telecommunications systems to include geographic information systems;[ and]
(5) "Personal information" has the same meaning as in Section 1 of this Act;
(6) "Project" means a program to provide information technologies support to functions within an executive branch state agency, which should be characterized by well-defined parameters, specific objectives, common benefits, planned activities, expected outcomes and completion dates, and an established budget with a specified source of funding.; and
(7) "Security breach" has the same meaning as in Section 1 of this Act.
Section 6. KRS 42.726 is amended to read as follows:
(1) The roles and duties of the Commonwealth Office of Technology shall include but not be limited to:
(a) Providing technical support and services to all executive agencies of state government in the application of information technology;
(b) Assuring compatibility and connectivity of Kentucky's information systems;
(c) Developing strategies and policies to support and promote the effective applications of information technology within state government as a means of saving money, increasing employee productivity, and improving state services to the public, including electronic public access to information of the Commonwealth;
(d) Developing, implementing, and managing strategic information technology directions, standards, and enterprise architecture, including implementing necessary management processes to assure full compliance with those directions, standards, and architecture[. This specifically includes but is not limited to directions, standards, and architecture related to the privacy and confidentiality of data collected and stored by state agencies];
(e) Promoting effective and efficient design and operation of all major information resources management processes for executive branch agencies, including improvements to work processes;
(f) Developing, implementing, and maintaining the technology infrastructure of the Commonwealth;
(g) Facilitating and fostering applied research in emerging technologies that offer the Commonwealth innovative business solutions;
(h) Reviewing and overseeing large or complex information technology projects and systems for compliance with statewide strategies, policies, and standards, including alignment with the Commonwealth's business goals, investment, and other risk management policies. The executive director is authorized to grant or withhold approval to initiate these projects;
(i) Integrating information technology resources to provide effective and supportable information technology applications in the Commonwealth;
(j) Establishing a central statewide geographic information clearinghouse to maintain map inventories, information on current and planned geographic information systems applications, information on grants available for the acquisition or enhancement of geographic information resources, and a directory of geographic information resources available within the state or from the federal government;
(k) Coordinating multiagency information technology projects, including overseeing the development and maintenance of statewide base maps and geographic information systems;
(l) Providing access to both consulting and technical assistance, and education and training, on the application and use of information technologies to state and local agencies;
(m) In cooperation with other agencies, evaluating, participating in pilot studies, and making recommendations on information technology hardware and software;
(n) Providing staff support and technical assistance to the Geographic Information Advisory Council and the Kentucky Information Technology Advisory Council;
(o) Overseeing the development of a statewide geographic information plan with input from the Geographic Information Advisory Council;[; and]
(p) Developing for state executive branch agencies a coordinated security framework and model governance structure relating to the privacy and confidentiality of personal information collected and stored by state executive branch agencies, including but not limited to:
1. Identification of key infrastructure components and how to secure them;
2. Establishment of a common benchmark that measures the effectiveness of security, including continuous monitoring and automation of defenses;
3. Implementation of vulnerability scanning and other security assessments;
4. Provision of training, orientation programs, and other communications that increase awareness of the importance of security among agency employees responsible for personal information; and
5. Development of and making available a cyber security incident response plan and procedure.
(q) Preparing proposed legislation and funding proposals for the General Assembly that will further solidify coordination and expedite implementation of information technology systems.
(2) The Commonwealth Office of Technology may:
(a) Provide general consulting services, technical training, and support for generic software applications, upon request from a local government, if the executive director finds that the requested services can be rendered within the established terms of the federally approved cost allocation plan;
(b) Promulgate administrative regulations in accordance with KRS Chapter 13A necessary for the implementation of KRS 42.720 to 42.742, 45.253, 171.420, 186A.040, 186A.285, and 194A.146;
(c) Solicit, receive, and consider proposals from any state agency, federal agency, local government, university, nonprofit organization, private person, or corporation;
(d) Solicit and accept money by grant, gift, donation, bequest, legislative appropriation, or other conveyance to be held, used, and applied in accordance with KRS 42.720 to 42.742, 45.253, 171.420, 186A.040, 186A.285, and 194A.146;
(e) Make and enter into memoranda of agreement and contracts necessary or incidental to the performance of duties and execution of its powers, including, but not limited to, agreements or contracts with the United States, other state agencies, and any governmental subdivision of the Commonwealth;
(f) Accept grants from the United States government and its agencies and instrumentalities, and from any source, other than any person, firm, or corporation, or any director, officer, or agent thereof that manufactures or sells information resources technology equipment, goods, or services. To these ends, the Commonwealth Office of Technology shall have the power to comply with those conditions and execute those agreements that are necessary, convenient, or desirable; and
(g) Purchase interest in contractual services, rentals of all types, supplies, materials, equipment, and other services to be used in the research and development of beneficial applications of information resources technologies. Competitive bids may not be required for:
1. New and emerging technologies as approved by the executive director or her or his designee; or
2. Related professional, technical, or scientific services, but contracts shall be submitted in accordance with KRS 45A.690 to 45A.725.
(3) Nothing in this section shall be construed to alter or diminish the provisions of KRS 171.410 to 171.740 or the authority conveyed by these statutes to the Archives and Records Commission and the Department for Libraries and Archives.
(4) The Commonwealth Office of Technology shall, on or before October 1 of each year, submit to the Legislative Research Commission a report in accordance with KRS 57.390 detailing:
(a) Any security breaches that occurred within organizational units of the executive branch of state government during the prior fiscal year that required notification to the Commonwealth Office of Technology under Section 2 of this Act;
(b) Actions taken to resolve the security breach, and to prevent additional security breaches in the future;
(c) A general description of what actions are taken as a matter of course to protect personal data from security breaches; and
(d) Any quantifiable financial impact to the agency reporting a security breach.
Section 7. KRS 42.732 is amended to read as follows:
(1) There is hereby created the Kentucky Information Technology Advisory Council to:
(a) Advise the executive director of the Commonwealth Office of Technology on approaches to coordinating information technology solutions among libraries, public schools, local governments, universities, and other public entities; [and]
(b) Advise the executive director of the Commonwealth Office of Technology on coordination among and across the organizational units of the executive branch of state government to prepare for, respond to, and prevent attacks; and
(c) Provide a forum for the discussion of emerging technologies that enhance electronic accessibility to various publicly funded sources of information and services.
(2) The Kentucky Information Technology Advisory Council shall consist of:
(a) The state budget director or a designee;
(b) The state librarian or a designee;
(c) One (1) representative from the public universities to be appointed by the Governor from a list of three (3) persons submitted by the Council on Postsecondary Education;
(d) Three (3) citizen members from the private sector with information technology knowledge and experience appointed by the Governor;
(e) Two (2) representatives of local government appointed by the Governor;
(f) One (1) representative from the area development districts appointed by the Governor from a list of names submitted by the executive directors of the area development districts;
(g) One (1) member of the media appointed by the Governor;
(h) The executive director of the Kentucky Authority for Educational Television;
(i) The chair of the Public Service Commission or a designee;
(j) Two (2) members of the Kentucky General Assembly, one (1) from each chamber, selected by the Legislative Research Commission;
(k) One (1) representative of the Administrative Office of the Courts;
(l) One (1) representative from the public schools system appointed by the Governor;
(m) One (1) representative of the Kentucky Chamber of Commerce; and
(n) The executive director of the Commonwealth Office of Technology.
(3) Appointed members of the council shall serve for a term of two (2) years. Members who serve by virtue of an office shall serve on the council while they hold the office.
(4) Vacancies on the council shall be filled in the same manner as the original appointments. If a nominating organization changes its name, its successor organization having the same responsibilities and purposes shall be the nominating organization.
(5) Members shall receive no compensation but shall receive reimbursement for actual and necessary expenses in accordance with travel and subsistence requirements established by the Finance and Administration Cabinet.
Section 8. KRS 171.450 is amended to read as follows:
(1) The department shall establish:
(a) Procedures for the compilation and submission to the department of lists and schedules of public records proposed for disposal;
(b) Procedures for the disposal or destruction of public records authorized for disposal or destruction, including appropriate procedures to protect against unauthorized access to or use of personal information as defined by Section 1 of this Act;
(c) Standards and procedures for recording, managing, and preserving public records and for the reproduction of public records by photographic or microphotographic process;
(d) Procedures for collection and distribution by the central depository of all reports and publications, except the Kentucky Revised Statutes editions, issued by any department, board, commission, officer or other agency of the Commonwealth for general public distribution after July 1, 1958.
(2) The department shall enforce the provisions of KRS 171.410 to 171.740 by appropriate rules and regulations.
(3) The department shall make copies of such rules and regulations available to all officials affected by KRS 171.410 to 171.740 subject to the provisions of KRS Chapter 13A.
(4) Such rules and regulations when approved by the department shall be binding on all state and local agencies, subject to the provisions of KRS Chapter 13A. The department shall perform any acts deemed necessary, legal and proper to carry out the duties and responsibilities imposed upon it pursuant to the authority granted herein.
Section 9. KRS 171.680 is amended to read as follows:
(1) The head of each state and local agency shall establish and maintain an active, continuing program for the economical and efficient management of the records of the agency.
(2) Such program shall provide for:
(a) Effective controls over the creation, maintenance, and use of records in the conduct of current business;
(b) Cooperation with the department in applying standards, procedures, and techniques designed to improve the management of records;
(c) Promotion of the maintenance and security of records deemed appropriate for preservation, and facilitation of the segregation and disposal of records of temporary value;
(d) Compliance with the provisions of KRS 171.410 to 171.740 and the rules and regulations of the department; and
(e) Compliance with the provisions of Sections 1 to 4 of this Act.
Section 10. The provisions of this Act shall not impact the provisions of KRS 61.870 to KRS 61.884.
Section 11. This Act takes effect January 1, 2015.