Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Kansas residents.
Definition includes financial account number or credit card/debit card number, alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.
“Security Breach” means unauthorized access to and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information and that causes, or the covered entity reasonably believes has caused or will cause, identity theft to any consumer.
“Encrypted” means transformation of data through the use of algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.
“Redacted” means the alteration or truncation of data so that no more than five digits of a social security number, or the last four digits of a driver’s license number, state identification number, or account number are accessible as part of the personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
A person or legal entity that conducts business in Kansas that owns or licenses computerized data that includes personal information.
Third party recipients:
An individual or commercial entity that maintains or otherwise possesses personal information that the individual or commercial entity does not own must notify the owner or licensee of the information of any security breach following discovery of unauthorized access and acquisition of personal information.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 5,000 persons, or covered entity does not have sufficient contact information.
- Notification is not required if, after a reasonable and prompt investigation, the covered entity determines it is not reasonably likely that misuse of the personal information has or will occur.
Any person that must notify more than 1,000 persons at one time of a security breach is also required promptly to notify consumer reporting agencies.
A covered entity must take reasonable steps to destroy or arrange for destruction of customer’s records within its custody or control containing personal information by shredding, erasing, or otherwise modifying personal information so it is no longer readable or decipherable.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Kansas statute does not apply to an individual or commercial entity who complies with notification requirements imposed by its primary or functional federal regulator.
Kansas statute does not apply to an individual or commercial entity that maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Kansas statute.
Notification to Regulator / Waiver
A determination of no likelihood of harm:
Does not require notification to attorney general.
Attorney general empowered to bring actions in law or equity to address violations.
The Kansas insurance commissioner has sole authority over insurance companies who violate the Kansas statute.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute