Security Breach Requirements in the State of Kansas
Kan. Stat. § 50-7a01 is a data breach notification law that was passed in the U.S. state of Kansas in 2007. The law establishes the legal framework that organizations and businesses within Kansas are required to follow in the event that these entities are involved in a security breach that results in the personal information of residents being compromised. Furthermore, the law also establishes the sanctions and fines that businesses and organizations within the state of Kansas stand to face should they fail to comply with the provisions of the law as it concerns security breach incidents.
How is a security breach defined?
Under Kan. Stat. § 50-7a01, a security breach is defined as “any unauthorized access to and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity and that causes, or such Entity reasonably believes has caused or will cause, identity theft to any consumer.” Alternatively, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for or is not subject to further unauthorized disclosure.”
Moreover, as it concerns the scope and application of the law, Kan. Stat. § 50-7a01 applies to “any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency or other entity (collectively, Entity) that conducts business in KS and that owns or licenses computerized data that includes PI.” Conversely, Kan. Stat. § 50-7a01 does not apply to personal information that a particular entity within Kansas may govern or manage but does not own or control, irrespective of whether or not said entity conducts business within or outside of the state of Kansas.
What are the requirements of business entities?
Kan. Stat. § 50-7a01 mandates that business entities within the state of Kansas provide residents of the state with data breach notices in the event that personal information pertaining to said residents is compromised as a result of a security breach. These notices must be provided to residents “in the most expedient time possible and without unreasonable delay”, and must also detail the scope and nature of the security breach, as well as any steps the affected entity has taken to restore the reasonable integrity of the data system that was used to collect and store information. On the contrary, business entities within Kansas can provide residents of the state with substitute data breach notices, albeit under certain circumstances.
Such circumstances include instances where a business entity demonstrates that providing standard data breach notices to affected consumers would exceed $100,000, the number of consumers affected is more than 5,000, or a business entity does not have sufficient contact information to provide consumers with standard notifications. Subsequently, these substitute data breach notices must contain the following elements:
- Email notice, in instances where a business entity has the email addresses of affected consumers.
- The conspicuous posting of the substitute notice on the business entity’s website, if applicable.
- Notification to all major media outlets within the state of Kansas.
What categories of personal information are protected?
Under Kan. Stat. § 50-7a01 the following categories of personal information are protected under the law, in conjunction with a Kansas resident’s first name or initial and last name, unless this information has been redacted or encrypted:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Account numbers, debit card numbers, and credit card numbers, alone or in combination with any access codes, security codes, or passcodes that could be used to grant access to an individual’s financial account.
In terms of the enforcement of Kan. Stat. § 50-7a01, the provisions established in the law are enforced by the Kansas Attorney General. Notably, insurance companies within the state of Kansas are exempt from this enforcement, as violations of the law committed on behalf of insurance agencies within the state are instead enforced by the state insurance commissioner. Nevertheless, all other businesses and organizations that fail to comply with Kan. Stat. § 50-7a01 are subject to a number of sanctions and penalties. To further illustrate the potential severity of such penalties, the Kansas Department of Commerce was required to pay for the credit monitoring services of millions of residents within the state following a security breach that occurred in March of 2017.
As Kansas has yet to pass a comprehensive data protection law at the state level, as has been the case with the vast majority of U.S. states as of 2022, Kan. Stat. § 50-7a01 represents the primary means by which the personal information of Kansas residents is legally protected in the event that such information is compromised following a data breach. Through the oversight and ultimate determination of the Kansas Attorney General, said residents can rest assured that they will have legal recourse against any adverse consequences that may arise in the wake of a security breach.