380.070 Debt adjuster to take reasonable measures to protect debtor's personal
458 words·~2 min read·
/ky/380-070A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
information.
(1)A debt adjuster shall take reasonable measures to:
(a)Ensure the security and confidentiality of a debtor's personal information;
(b)Protect against any anticipated threats or hazards to the security or integrity of
a debtor's personal information; and
(c)Protect against unauthorized access to or use of a debtor's personal
information.
(2)The reasonable measures required by this section shall include, at a minimum:
(a)Design and implementation of a comprehensive information security program
that:
1. Is written in one
(1)or more readily accessible parts;
2. Contains administrative, technical, and physical safeguards that are
appropriate to the size and complexity of the debt adjuster, the nature
and scope of the debt adjuster's activities, and the sensitivity of any
personal information at issue;
3. Designates one
(1)or more employees to coordinate compliance with
the information security program; and
4. Identifies reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of the personal information of a
debtor that could result in the unauthorized access to or use of the
information, and assesses the sufficiency of any safeguards in place to
control these risks. At a minimum, the risk assessment required by this
subparagraph shall include consideration of risks in each relevant area of
the debt adjuster's operation, including employee training and
management, information systems, information processing, information
storage, information transmission, information disposal, and detecting,
preventing, and responding to failures to comply with the information
security program.
(b)Design and implementation of information safeguards to control the risks
identified by the risk assessment required by this subsection, as well as regular
testing or other monitoring of the effectiveness of the safeguards of key
controls, systems, and procedures;
(c)Requirements for regular training of employees who will or may have access
to records containing personal information of debtors regarding compliance
with the information security program required by this subsection;
(d)Oversight of service providers to whom personal information of a debtor will
be disclosed, by taking reasonable steps to select and retain service providers
that are capable of maintaining appropriate safeguards for the personal
information at issue, as well as requiring service providers, by contract, to
implement and maintain those safeguards;
(e)Evaluation and adjustment of the information security program in light of the
results of testing and monitoring, any material changes to the operation or
business arrangements of the debt adjuster, or any other circumstances that the
debt adjuster knows or has reason to know may have a material impact on
compliance with the information security program; and
(f)A requirement that when records containing personal information of a debtor
are disposed of the records shall be shredded, erased, or otherwise modified so
the personal information is made unreadable or indecipherable through any
means.