Kansas Data Security Breach Notification
K.S.A. § 50-7a01, et seq.
SUMMARY:
EFFECTIVE. January 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person, entity or government agency or subdivision that conducts business in Kansas and owns or licenses computerized data that includes Personal Information; and (2) any person or entity maintaining information on state residents which includes Personal Information that it does not own.
WHAT IS A BREACH. The unauthorized acquisition of and access to unencrypted or unredacted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business which causes or is reasonably likely to cause identity theft of a Kansas resident. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used for or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number either alone or in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Kansas residents. If more than 1,000 Kansas residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Kansas individuals are notified by the person or business in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected Kansas individuals are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business as soon as possible after it becomes aware of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, measures necessary to determine the nature and scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $100,000, the affected class of persons to be notified exceeds 5,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if the person or business has a website.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data which includes Personal Information that it does not own, then the person or business shall notify and the owner or licensee upon discovery of a breach. The person or business that owns or licenses the computerized data shall provide notice to the individual.
CONSEQUENCES FOR FAILING TO NOTIFY. With the exception of insurance companies, the state Attorney General may bring an action in law or equity to address violations of this Section, as well as other relief. Violations by insurance companies will be enforced by the insurance commissioner.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Kan. Stat. § 50-6, 139b(2). A holder of personal information shall unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records within such holder's custody or control containing any person's personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.
LEGISLATIVE UPDATES.
S.B. 196 – Signed into law on 4/19/2006, Effective 1/1/2007.
For more information, see here: http://www.kslegislature.org/li_2020/b2019_20/statute/050_000_0000_chapter/050_007a_0000_article/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.