9 www.loubar.org December 2024 DECEMBER 2024 AWARENESS CALENDAR International Day of Persons with Disabilities (12/3) PODCAST RECOMMENDATION H H EE AA LL TT H H && W W EE LL LL N N EE SS SS CC O O RR N N EE RR WEBSITE RECOMMENDATION 63% of lawyers reported feeling overwhelmed and 49% experienced increased anxiety during the holiday months. Friday, December 13 | 5:30 PM - 7:30 PM | Location: The Café YLD + YLS + Law Student Members: FREE | LBA Members $15 | Non Members $25 | Reservations requested. sweater HOSTED BY: Second Annual The LBF Gratefully Recognizes its Foundation Partners for 2024 In 2024, the Louisville Bar Foundation will award more than $175,000 in grants to local non-profits for law-related projects. The LBF is grateful for the generous support from all the attorneys who made this possible and recognizes its 2024 Foundation Partners — those law firms and corporate law departments (with five or more at- torneys) where 100% of members made a financial gift to the Foundation to support its grantmaking activities. The combined support from the attorneys represented by these Foundation Partners totals more than $30,000. The generosity of the Founda- tion Partners and other individual LBA member attorneys makes it possible for the LBF to support and improve legal services for the poor, law-related public education and our judicial system. The LBF thanks those generous Foundation Partners listed below. For more informa- tion about how you can become a Foundation Partner, please contact Jeffrey A. Been at (502) 292-6734 or [email protected]. Applegate Fifer Pulliam Bahe Cook Cantley & Nefzger Bardenwerper Talbott & Robert Barnes Maloney Dentons Bingham Greenebaum Boehl Stopher & Graves Dinsmore & Shohl Frost Brown Todd Gray Ice Higdon Kaplan Johnson Abate & Bird LG&E and KU Energy McBrayer O’Bryan, Brown & Toner Phillips Parker Orberson & Arnett Stites & Harbison Stoll Keenon Ogden Tachau Meek Thomas Law Offices Thompson Miller & Simpson Wyatt, Tarrant & Combs YUM Brands/KFC consumer. • Identify safeguards that can be employed by the controller to reduce the risk (such as de-identified data). • Characterize the context of the processing, such as the relationship between the controller and the consumer. • Weigh the benefit against the mitigated risk and consumer expecta- tions. Contracts with Third Parties The new privacy laws require a covered business to execute contracts containing statutorily required language with processors and third parties receiving “de-identified” data. A contract between a covered business that is a “controller” and their “processor” must: • Require every person processing personal data to be subject to a duty of confidentiality, • Require the processor to return or delete all personal data at the end of the contract, unless retention is required by law, • Require the processor to make available all information necessary to demonstrate the processor’s compliance with its obligations, • Either allow and cooperate with the controller’s assessments, or the assessment of a qualified and independent assessor, to demonstrate adequate physical, administrative and technological controls, • Require the processor to execute a written contract with any subcon- tractor engaged to process the controller’s data that passes down all the above obligations. A covered business disclosing de-identified data must contractually obligate any recipients of the de-identified data to comply with the KDCPA or IDCPA. Next Steps First, determine whether your business meets the jurisdictional threshold under either the KDCPA or ICDPA to be a covered business. Second, bring together institutional stakeholders that understand the organizational makeup of your business and can help identify where the personal data of consumers is being processed. Although the market- ing department may be an easily identifiable risk area, what about the use of historic data by the IT department in test environments? Is there a consumer-facing sales department? Does your business operations center run the customer loyalty program, or receive feedback messages through an email inbox or webform from customers? Learning about each department’s collection and use of data will help your organization as it moves toward compliance with the KCDPA and IDCPA. Third, to the extent your business hasn’t already, adopt the required pro- cessing principles in your business operations, start amending contracts with third-party service providers, adopt a consumer rights request and data protection impact assessment process and update your online privacy notice. Conclusion Because the journey to compliance can be long, covered businesses should begin preparing for the impact of these new laws on their collection, stor- age and dissemination of consumer data now. Partnering with experienced third parties, whether they be technology vendors or outside counsel, can ensure that the road to compliance with the KCDPA and ICDPA is not just a box ticking exercise, but an investment that protects and increases the value of the personal data the organization holds. Dalton Cline is an associate at Dentons Bingham Greenebaum in the Data Pri- vacy and Cybersecurity Group. As a Certified Information Privacy Professional (CIPP/US, CIPM, CIPT), Dalton advises clients on a wide range of state and federal privacy and security laws. He graduated from the University of Louisville Brandeis School of Law in 2022 and worked as a privacy analyst for the University of Illinois Urbana Champaign prior to joining Dentons. n THE LOUISVILLE BAR FOUNDATION (continued from previous page)
