In 2014, at least 297 data breaches occurred in the United States, affecting an estimated 67.9 million records.* In the wake of these breaches, business owners and managers across the country are reexamining their Information Security procedures.
Data breaches affect businesses of all sizes—from the one-owner specialty shop to the largest international banking institutions. Accordingly, both Kansas and Federal laws provide guidance for businesses facing the possibility of a data breach. This page examines the laws regarding data breaches and provides tips for avoiding such breaches.
*Source: Privacy Rights Clearinghouse.
- Computer hackers infiltrating a business’ computerized records containing personal information from an undisclosed location.
- A business disposing of records containing personal information into a trash dumpster without properly destroying the personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or indecipherable through any means.
- A person stealing an unsecured company laptop containing personal information.
In 2006 the State of Kansas erected safeguards designed to limit the damage caused by data breaches. K.S.A. 50-7a01 through 50-7a04 contain the relevant definitions and obligations related to data breaches in the State of Kansas. The Attorney General is empowered to bring an action in law or equity to address violations of these laws. Kansas law requires any person who conducts business in this state that owns or licenses computerized data including personal information to conduct good faith investigations into the likelihood that personal information has been or will be misused. K.S.A. 50-7a02.
If the investigation reveals that personal information has been misused, or is likely to be misused, the person must give notice to the affected Kansas resident as soon as possible.When a data breach requires notification of more than 1,000 consumers at a time, Kansas law requires the person to also notify all nationwide consumer reporting agencies of the data breach. K.S.A. 50-7a02. Keep in mind that law enforcement may determine it best to delay notice to a consumer if it is determined that the notice could impede a criminal investigation.
Kansas law requires a person or business to take reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information which is no longer to be retained by the person or business. Specifically, Kansas law requires that such records be shredded, erased, or otherwise modified to make the personal information in the records unreadable or indecipherable through any means. K.S.A. 50-7a03.
Congress and Federal agencies have also passed laws and regulations concerning data breaches. A few examples of such laws are the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act.
These Federal Acts generally divide businesses into sectors (e.g. Health Care, Financial, Educational, etc.) and focus the requirements upon each sector’s use of the protected information. The Federal Acts usually require covered entities to develop an information security policy and notify persons affected by breaches of such policy.
- Develop and implement a strong Information Security Policy. Good provisions for computer hard drives include password protection, encryption, firewall/antivirus software, and other common IT measures designed to limit exposure to a data breach. Physical records containing personal information should be locked in boxes and kept in secure locations.
- Ensure that employees follow the policy. A policy is only effective if it is followed. Each employee should understand and follow the business’s Information Security Policy. The most proactive businesses incorporate job-specific training into the business’ overall employee training regimen.
- Scale down. The less personal information around, the less vulnerable a business is to a data breach. Consider whether it is necessary for the business to keep credit card numbers and other personal information about customers.
- Keep an eye on the laptops. One common data breach occurs when an employee leaves their laptop in an unsecured area. To avoid this problem, control access to the business’ laptops and ensure each employee keeps a vigilant watch over the business’ computers. Password protection and encryption can also help with this type of breach.
- Properly dispose of personal information. Determine the length of time required for the business to maintain their records. If the business decides to dispose of personal information, be sure to take reasonable steps to destroy the personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or indecipherable through any means.
- Investigate the breach to determine whether personal information has been misused or is reasonably likely to be misused.
- Notify each affected Kansas resident in the most expedient time possible.
- Cooperate with law enforcement to determine whether notice should be delayed in order to avoid interfering with any criminal investigation.
- If circumstances require notifying more than 1,000 consumers at one time, notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notices.