Kentucky Statutes 304.3-750 – Definitions for KRS 304.3-750 to 304.3-768
Current as of: 2024 | Check for updates
|
Other versions
As used in KRS § 304.3-750 to KRS § 304.3-768:
(1) “Consumer” means an individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, and certificate holder:
(a) Who is a resident of this Commonwealth; and
(b) Whose nonpublic information is in a licensee’s possession, custody, or control;
(2) “Cybersecurity event”:
(a) Means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system; and
(b) Shall not include:
1. Unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or
2. An event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person:
a. Has not been used or released; and b. Has been returned or destroyed;
(3) “Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key;
(4) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information;
(5) “Information system”:
(a) Means a discrete set of electronic nonpublic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information; and
(b) Shall include any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems;
(6) “Licensee”:
(a) Means any person who is, or is required to be, licensed, authorized to operate, or registered pursuant to the insurance laws of this state; and
(b) Shall not include:
1. A purchasing group or a risk retention group chartered and licensed in a state other than this state; or
2. A licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction;
(7) “Nonpublic information”:
(a) Means electronic information that is not publicly available information; and
(b) Shall include:
1. Business-related information of a licensee that if tampered with, or disclosed, accessed, or used without authorization, would cause a material adverse impact to the business, operations, or security of the licensee;
2. Any confidential personal identifying information of a consumer, including:
a. Social Security number;
b. Operator’s license number or personal identification card number;
c. Financial account number;
d. Credit or debit card number;
e. Any security code, access code, or password that would permit access to a consumer’s financial account; or
f. Biometric records; and
3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that relates to:
a. The past, present, or future physical, mental, or behavioral health or condition of any consumer or member of the consumer’s family;
b. The provision of health care to any consumer; or
c. Payment for the provision of health care to any consumer;
(8) “Person” means any individual or nongovernmental entity, including but not limited to any nongovernmental partnership, corporation, branch, agency, or association;
(9) (a) “Publicly available information” means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
1. Federal, state, or local government records;
2. Widely distributed media; or
3. Disclosures to the general public that are required to be made by federal, state, or local law.
(b) For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:
1. That the information is of the type that is available to the general public;
and
2. Whether the consumer can direct that information not be made available to the general public, and if so, that the consumer has not done so; and
(10) “Third-party service provider” means a person, other than a licensee, that:
(a) Contracts with a licensee to maintain, process, or store nonpublic information;
or
(b) Is otherwise permitted access to nonpublic information through its provision
of services to a licensee.
Effective: January 1, 2023
History: Created 2022 Ky. Acts ch. 149, sec. 1, effective January 1, 2023.
(1) “Consumer” means an individual, including but not limited to an applicant, policyholder, insured, beneficiary, claimant, and certificate holder:
Terms Used In Kentucky Statutes 304.3-750
- Beneficiary: A person who is entitled to receive the benefits or proceeds of a will, trust, insurance policy, retirement plan, annuity, or other contract. Source: OCC
- Federal: refers to the United States. See Kentucky Statutes 446.010
- Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
- State: when applied to a part of the United States, includes territories, outlying possessions, and the District of Columbia. See Kentucky Statutes 446.010
(a) Who is a resident of this Commonwealth; and
(b) Whose nonpublic information is in a licensee’s possession, custody, or control;
(2) “Cybersecurity event”:
(a) Means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system; and
(b) Shall not include:
1. Unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or
2. An event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person:
a. Has not been used or released; and b. Has been returned or destroyed;
(3) “Encrypted” means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key;
(4) “Information security program” means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information;
(5) “Information system”:
(a) Means a discrete set of electronic nonpublic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information; and
(b) Shall include any specialized system such as industrial or process controls systems, telephone switching and private branch exchange systems, and environmental control systems;
(6) “Licensee”:
(a) Means any person who is, or is required to be, licensed, authorized to operate, or registered pursuant to the insurance laws of this state; and
(b) Shall not include:
1. A purchasing group or a risk retention group chartered and licensed in a state other than this state; or
2. A licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction;
(7) “Nonpublic information”:
(a) Means electronic information that is not publicly available information; and
(b) Shall include:
1. Business-related information of a licensee that if tampered with, or disclosed, accessed, or used without authorization, would cause a material adverse impact to the business, operations, or security of the licensee;
2. Any confidential personal identifying information of a consumer, including:
a. Social Security number;
b. Operator’s license number or personal identification card number;
c. Financial account number;
d. Credit or debit card number;
e. Any security code, access code, or password that would permit access to a consumer’s financial account; or
f. Biometric records; and
3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that relates to:
a. The past, present, or future physical, mental, or behavioral health or condition of any consumer or member of the consumer’s family;
b. The provision of health care to any consumer; or
c. Payment for the provision of health care to any consumer;
(8) “Person” means any individual or nongovernmental entity, including but not limited to any nongovernmental partnership, corporation, branch, agency, or association;
(9) (a) “Publicly available information” means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
1. Federal, state, or local government records;
2. Widely distributed media; or
3. Disclosures to the general public that are required to be made by federal, state, or local law.
(b) For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:
1. That the information is of the type that is available to the general public;
and
2. Whether the consumer can direct that information not be made available to the general public, and if so, that the consumer has not done so; and
(10) “Third-party service provider” means a person, other than a licensee, that:
(a) Contracts with a licensee to maintain, process, or store nonpublic information;
or
(b) Is otherwise permitted access to nonpublic information through its provision
of services to a licensee.
Effective: January 1, 2023
History: Created 2022 Ky. Acts ch. 149, sec. 1, effective January 1, 2023.