The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Individuals, businesses, and governmental entities that maintain, own, or license personal information
Consumer Notification: Notification must be provided to any Kansas resident whose unencrypted or unredacted personal information was accessed and acquired on an unauthorized basis; which compromises the security, confidentiality, or integrity of that personal information, or there is a reasonable belief it has caused, or will cause, identity theft.
Regulatory Notification: N/A
Notification Timeline: Notice must be made in the “most expedient time possible” and “without unreasonable delay”.
Data Format: Electronic.
Citations: Kan. Stat. §§ 50-7a01, 50-7a02, 50-7a04
- Breach: Unauthorized access and acquisition that compromises the “security, confidentiality or integrity” of personal information, or the subject entity reasonably believes to have caused, or will cause, identity theft.
- Personal Information (PI): First name or first initial and last name in combination of one of the following data elements:
- Social security number;
- Driver's license number or state identification card number; or
- Financial account number, or credit or debit card number, “alone or in combination with” a required security or access code or password that would permit access.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: A “breach” does not occur if the personal information was encrypted or redacted.
- Good Faith: Good faith acquisition of personal information for legitimate purposes is not a breach, if not used for unauthorized disclosure.
- Risk of Harm: Notification is not required where, after a reasonable and prompt investigation, an entity determines that “misuse of information” has not occurred or is unlikely to occur.
- Law Enforcement Delay: Notice can be delayed if law enforcement determines that the notice will “impede a criminal investigation” and shall be made without unreasonable delay as soon as possible after law enforcement determines notification will no longer impede the investigation.
- Timing: Notice must be made in the “most expedient time possible” and “without unreasonable delay”.
- Format: N/A
- Content: N/A
- Method: Written notice; or electronic notice, if the notice provided is “consistent with the provisions regarding electronic records and signatures” per E-SIGN.
Substitute notice is allowed if the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or there is not sufficient contact information to provide notice. Substitute notice shall include: (1) E-mail notice if entity has e-mail addresses for the affected consumers; (2) conspicuous posting of the notice on the web site page of the entity; and (3) notification to major statewide media.
Credit Reporting Agencies Notice:
If notification includes 1,000 consumers at one time, the person shall also notify, “without unreasonable delay,” all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the “timing, distribution and content of the notices”.
If an entity maintains personal information that it does not own or license, it must notify the owner or licensee of a breach following discovery of the breach.
The state attorney general is empowered to bring an action in law or equity to address violations of this section and for other relief that may be appropriate.
Information Security Standard
Covered Entities: Any individual, partnership, corporation, trust, estate, cooperative, association, government, government agency, or other entity, who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.
First Party Security Standard: A holder of personal information shall implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. If federal or state law or regulation governs the procedures and practices of the holder of personal information for such protection of personal information, then compliance with such federal or state law or regulation shall be deemed compliance with this paragraph and failure to comply with such federal or state law or regulation shall be prima facie evidence of a violation of this paragraph.
Third Party Security Standard: N/A
Disposal/Destruction Standard: Unless otherwise required by federal law or regulation, a holder of personal information shall take reasonable steps to destroy or arrange for the destruction of any records within such holder's custody or control containing any person's personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.
Data Format: Electronic and physical.
Citations: K.S.A. § 50-6,139b, K.S.A. 50-7a01(g)
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following unencrypted data elements:
- Social Security number;
- Driver’s license number or state identification card number; or
- Financial account number, or credit or debit card number, along or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define what constitutes “reasonable security procedures and practices …”
Nothing in this section relieves a holder of personal information from any duty to comply with other requirements of state and federal law regarding the protection of such information.
Notwithstanding any other provision of law to the contrary, the exclusive authority to bring an action for any violation of this section shall be with the attorney general. Nothing in this section shall be construed to create or permit a private cause of action for any violation of this section.