Bench & Bar May/June 2025

FEATURE: INTELLECTUAL PROPERTY

• Identify safeguards that can be employed by the controller to reduce the risk (such as de-iden tified data). • Characterize the context of the processing, such as the relation ship between the controller and the consumer. • Weigh the benefit against the mitigated risk and consumer ex pectations.

subject resides in and number of impacted individuals, may also require notice to the attorney general, the media, credit reporting bureaus, or additional regulators. CONDUCT DATA PROTECTION IMPACT ASSESSMENT PRIOR TO CERTAIN PROCESSING ACTIVITIES. 23 A data protection impact assessment must be conducted before processing “sensitive” data, or prior to processing personal data where the purpose is for targeted adver tising, is a “sale,” or presents a reasonably foreseeable risk of harm. This assessment must: • Identify benefits that may flow from the processing to the busi ness, consumer, other stake holders and public. • Identify potential risks to the rights of the consumer.

ABOUT THE AUTHORS Partner KYLE MILLER , CIPP/ US, and Associate DALTON CLINE , CIPP/US, CIPM, CIPT, are members of Dentons’ global privacy and cybersecurity practice, based in the Louisville office. Miller’s practice builds on his career as a cybersecurity professional in bringing value to clients with needs related to cybersecurity, data privacy, and technology. He is the chap ter chair of IAPP KnowledgeNet in Louisville and serves on the Kentucky Science Center’s Board of Directors. Miller earned his J.D. from Vander bilt University Law School, his M.S. in applied information technology from Bellarmine Uni versity, and his B.A. in political science from the University of Louisville. Cline routinely advises businesses in a variety of industries and sectors regarding compliance with domestic and inter national data privacy and cybersecurity laws and regulations. He is the current co-chair of the Louisville Bar Association’s AI/IP/Privacy Law Section. Cline earned his J.D. from the University of Louisville Brandeis School of Law and his B.A. in worldview and apologetics from The Southern Baptist Theological Seminary. It is also common for the DPA to address the minimum security standards that the business requires their service provid ers to meet, define terms, and outline the procedures for responding to data subject rights requests and data breaches. All 50 states have data breach laws that obligate the controller to notify affected parties, and, depending on jurisdiction the data In practice, a processor may be more will ing to accept a potential assessment from the business, rather than a required exter nal audit. Common frameworks include the NIST Privacy 18 and Cybersecurity 19 Frameworks, the International Standards Organization (ISO) ISO/IEC 27001, 20 and the Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technologies (COBIT) Framework. Common control standards include NIST SP 800-53 Rev. 5, 22 and ISO 27001.

Any organization that is only beginning to start its compliance journey must be aware that the road to compliance can be a long one, often taking more than a year. Partner ing with experienced advisors, whether they be technology vendors or outside counsel, can ensure that the road to compliance with the KCDPA and ICDPA is not just a box-ticking exercise, but an investment that protects and increases the value of the per sonal data the organization holds.

ENDNOTES 1 There are a number of “data” exemptions as well.

2 IC 24-15-1-1(b)(1)(B) provides an exemption for a governmental entity third-party service pro vider, to the extent that the third party is acting within the scope of the contract with the govern mental entity. 3 (f) organization that (1) does not provide net earning to, or operate in any man ner that insures to the benefit of, any officer, employee, or shareholder of the enti ty; and (2) is an entity such as those recognized under KRS 304.47-060(1)(e), so long as the entity collects, processes, uses, or shares data solely in relation to identifying, in vestigating, or assisting: (a) law enforcement agencies in connection with suspected in surance-related criminal or fraudulent acts; or (b) first responders in connection with catastrophic events. 4 C.f. KRS § 367.3613(4), IC § 24-15-5-3. 5 KRS § 367.3611(21), IC § 24-15-2-21. 6 KRS § 367.3611(7), IC § 24-15-2-8. 7 KRS § 367.3611(19), IC § 24-15-2-19. 8 KRS § 367.3611(27), IC § 24-15-2-27. While Kentucky, Indiana, Iowa, Utah, and Virginia limit “sale” to “monetary consideration,” California, Colorado, Connecticut, Delaware, Montana, Ore gon, Tennessee, and Texas use the broader “monetary or other valuable consideration.” 9 KRS § 367.3627(2), IC § 24-15-10-3. 10 KRS § 367.3627(3), IC § 24-15-10-2. 11 C.f. , KRS §367.3615 §§(2)(a) - (e), 4(1)(e) & IC 24-15-3-1(b)(1) - (5), 24-15-4-1(5). 12 Defined as “a decision made by a controller that results in the provision or denial by the control- ler of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities like food and water.” KRS § 367.3611(10), IC 24-15-1.

13 KRS § 367.3615(3)(c), IC § 24-15-3-1(c)(3). 14 C.f. KRS § 367.3617(3) - (5); IC 24-15-4-3 – 5. 15 C.f. KRS § 367.3617(1)(a)-(d), IC 24-15-4-1(1) - (4).

16 C.f. KRS § 367.3623(1), IC 24-15-7-1. 17 KRS § 367.3619(2); IC 24-15-5-2(a).

18 Privacy framework, https://www.nist.gov/privacy-framework (last visited April 9, 2025). 19 Cybersecurity framework, https://www.nist.gov/cyberframework (last visited April 9, 2025). 20 ISO/IEC 27001:2022, https://www.iso.org/standard/27001 (last visited April 9, 2025). 21 COBIT, an ISACA Framework, https://www.isaca.org/resources/cobit (last visited April 9, 2025). 22 NIST Computer Security Resource Center, https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final (last visited April 9, 2025). 23 C.f. KRS § 367.3621, IC 24-15-6.

24 may/june 2025