Your Identity

Identity theft is a crime – and a violation of the Kansas Consumer Protection Act. Identity thieves can take out loans or obtain credit cards and even driver's licenses in your name. They can do damage to your financial history and personal reputation that can take years to unravel. But if you understand how to protect yourself, you can help stop this crime.

Thieves can steal your identity by obtaining your personal financial information online, at the door, over the phone or even by going through your trash. What they want are account numbers, passwords, Social Security numbers, and other confidential information that they can use to loot your checking account or run up bills on your credit cards.

Learn more about how to protect yourself from identity theft and what to do if you have become a victim by exploring the links below.

Did You Know?

The FTC received 490,220 identity theft complaints in 2016.

• Never provide personal financial information, including your Social Security number, account numbers or passwords, over the phone or the Internet if you did not initiate the contact. E-mails created by scammers may look exactly like the real thing and may contain viruses that can contaminate your computer.
• Never click on the link provided in an e-mail you believe is fraudulent.
• Do not be intimidated by an e-mail or caller who suggests dire consequences if you do not immediately provide or verify financial information.
• If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and Web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet and contact them directly.
• Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.
• Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.
• If you fall victim to an attack, act immediately. Alert your financial institution. Place fraud alerts on your credit files. Monitor your credit files and account statements closely.
• Report suspicious e-mails or calls to the Federal Trade Commission through the Internet at ReportFraud.ftc.gov, or by calling 1-877-IDTHEFT.

Did You Know?

You can request a free copy of your credit report once a year from each of the three largest credit bureaus? Request your credit report now.

• Contact your financial institution immediately and alert it to the situation.
• Call the three major credit bureaus to place a fraud alert on your file, preventing thieves from opening a new account in your name.
  • Equifax, 800-685-1111
    P.O. Box 740250
    Atlanta, GA 30374
  • Experian, 888-397-3742
    P.O. Box 1017
    Allen, TX 75013
  • TransUnion, 800-916-8800
    P.O. Box 2000
    Chester, PA 19016
• Call the security numbers located on the back of your stolen credit cards. These numbers can also be found on your credit card billing statements
• Contact your local law enforcement to file a police report.
• Report the theft and your response to Attorney General Kris Kobach's Office.

Additional Information

For more information, download this free identity theft repair publication from the Federal Trade Commission:

• Taking Charge: What to do if your identity is stolen

Did You Know?

Identity theft is the fastest growing crime in America.

This website provides general information regarding Kansas and Federal law in this area. It is not to be relied upon as legal advice or guidance. It is important for businesses to determine their obligations and to comply with Kansas and Federal law. For more information regarding Security Breaches, please contact a private attorney.

In 2015, more than 500 data breaches occurred in the United States. A conservative estimate of the number of records affected by those breaches is 160 million (Source: Privacy Rights Clearinghouse). In the wake of these breaches, business owners and managers across the country are reexamining their Information Security procedures.

Security Breaches affect businesses of all sizes–from the one-owner specialty shop to the largest international banking institutions. Accordingly, both Kansas and Federal laws provide guidance for businesses facing the possibility of a Security Breach. This pamphlet examines the laws regarding Security Breaches and provides tips for avoiding and responding to such breaches.

What are some examples of security breaches?

• Computer hackers infiltrating a business' computerized records containing Personal Information from an undisclosed location.
• A business disposing of records containing Personal Information into a trash dumpster without properly destroying the Personal Information by shredding, erasing, or otherwise modifying the Personal Information in the records to make it unreadable or indecipherable through any means.
• A person stealing an unsecured company laptop containing Personal Information.

What federal laws apply to security breaches?

Congress and Federal agencies have passed laws and regulations concerning Security Breaches. A few examples of such laws are the Privacy Act, the Federal Information Security Management Act, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act.

What laws in Kansas apply to security breaches?

Duty to protect Personal Information

Since 2016, Kansas law has required that any person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person shall:

1. Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and
2. Exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure, and
3. Unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records that contain personal information that are within the person's custody or control when the person no longer intends to maintain or possess such records. Destruction of records shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means. (K.S.A. 50-6,139b.)

Duties in the event of a security breach

In 2006 the State of Kansas erected safeguards designed to limit the damage caused by Security Breaches. K.S.A. 50-7a01 through 50-7a04 contain the relevant definitions and obligations related to Security Breaches in the State of Kansas.

Kansas law requires any person who conducts business in this state that owns or licenses computerized data including personal information to conduct good faith investigations into the likelihood that personal information has been or will be misused when it becomes aware of any breach of the security of the system. (K.S.A. 50-7a02.) If the investigation reveals that Personal Information has been misused, or is likely to be misused, the person must give notice to the affected Kansas resident without unreasonable delay and as soon as possible.

When a Security Breach requires notification of more than 1,000 consumers at a time, Kansas law requires the person to also notify all nationwide consumer reporting agencies of the Security Breach. (K.S.A. 50-7a02.) Keep in mind that law enforcement may determine it best to delay notice to a consumer if it is determined that the notice could impede a criminal investigation.

Tips to avoid security breaches

Develop and implement a strong Information Security Policy

Good provisions for computer hard drives include password protection, encryption, firewall/antivirus software, and other common IT measures designed to limit exposure to a Security Breach. Physical records containing Personal Information should be locked in boxes and kept in secure locations.

Ensure that employees follow the policy

A policy is only effective if it is followed. Each employee should understand and follow the business's Information Security Policy. The most proactive businesses incorporate job-specific training into the business' overall employee training regimen.

Scale down

The less personal information around, the less vulnerable a business is to a Security Breach. Consider whether it is necessary for the business to keep credit card numbers and other personal information about customers.

Keep an eye on the laptops

One common Security Breach occurs when an employee leaves a laptop in an unsecured area. To avoid this problem, control access to the business' laptops and ensure each employee keeps a vigilant watch over the business' computers. Password protection and encryption can also help with this type of breach.

Properly dispose of Personal Information

Determine the length of time required for the business to maintain its records. If the business decides to dispose of Personal Information, be sure to take reasonable steps to destroy the Personal Information by shredding, erasing, or otherwise modifying the Personal Information in the records to make it unreadable or indecipherable through any means.

What to do if your data is breached

• Investigate the breach to determine whether Personal Information has been misused or is reasonably likely to be misused.
• Notify each affected Kansas resident in the most expedient time possible.
• Cooperate with law enforcement to determine whether notice should be delayed in order to avoid interfering with any criminal investigation.
• If circumstances require notifying more than 1,000 consumers at one time, notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notices.
• Consumers whose data has been breached may file a complaint with the attorney general's office.

Every day, you provide personal information to businesses and organizations you do business with. Unfortunately, that information is sometimes compromised by hackers. Kansas law requires businesses and government agencies that have experienced a security breach to notify affected consumers. Common types of security breaches include computer hackers infiltrating a business' computerized records, a business improperly disposing of records containing personal information, or a stolen computer containing personal information.

If you believe your personal information may have been compromised, here are some steps you should take:

Monitor affected accounts

If your credit or debit card information has been compromised in a data breach, you should closely check your statements for those accounts for any charges you did not authorize. If you see any suspicious activity, contact your bank or credit card company immediately to report it and request a new card and new PIN number.

Sign up for free credit monitoring

In the event of a security breach, companies are often required to provide consumers with free credit monitoring services. If you receive a notice that you are eligible for such services, be sure to verify with your bank or credit card company that the offer is legitimate, and not just another attempt to access your personal information.

Request a fraud alert

You can request a fraud alert be placed on your credit report by the three credit bureaus. This will place a note on your report that you were the victim of fraud, and alerts creditors to verify your identity before opening new accounts. Contact the credit bureaus to request fraud alerts:

• Equifax: 1-800-525-6285
• Experian: 1-888-397-3742
• TransUnion: 1-800-680-7289

You only need to request a fraud alert from one of the three credit bureaus. The law requires the bureau you contact to notify the other two bureaus.

Request a security freeze

A security freeze will place a hold on all access to your credit report. Credit reporting agencies are required to provide this service for free to all Kansans. While this is a good way to prevent further accounts from being opened in your name, it also means extra work for you to lift the freeze if you do apply for a new loan or credit account.

Learn more about security freezes

Monitor your credit report

Continue to monitor your credit reports on a regular basis. You can request a free copy of each of your three reports annually at www.annualcreditreport.com. Rather than requesting all reports from all three credit bureaus at once, some consumers find it more useful to request one report every four months for more frequent monitoring.

Did You Know?

Identity theft is the fastest growing crime in America.

What is a security freeze?

A security freeze prohibits the credit bureaus, with certain exceptions, from releasing your credit report or any information on it without your express authorization. Since most businesses will not open credit accounts without first requesting a credit report, a security freeze can help stop an identity thief from opening any more accounts in your name.

Beginning July 1, 2018, credit reporting agencies are required to allow Kansans to place or remove a security freeze on their credit reports free of charge. (2018 House Bill 2580)

How do I get a security freeze?

You must request the credit freeze individually with each of the three credit bureaus. You can request a credit freeze online through the credit bureaus' websites. Click the links below to get started:

• Equifax
• Experian
• TransUnion

You may also make your request by sending a certified letter to the credit bureaus at the following addresses:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013

Trans Union Security Freeze
P.O. Box 2000
Chester, PA 19016

Each request should include the following:

• Your full name, address, Social Security number and date of birth;
• Any previous addresses where you have lived in the last five years;
• Proof of your current address, such as a copy of a utility bill; and
• A copy of your government-issued identification card, such as a driver's license or passport.

How long does it take to get a security freeze?

The credit bureaus will place the security freeze on your accounts within five days of receiving your letter.

Within 10 days of receiving your letter, the credit bureaus will send you a confirmation letter, which will include a PIN or password, which you will need to remove your security freeze or authorize release of your credit report to creditors. Store this PIN or password in a safe place for future use.

How do I apply for new credit with a security freeze in place?

If you wish to apply for credit while the security freeze is in place, you will need to contact the credit bureaus and ask that your security freeze be temporarily lifted to allow a creditor to access your report. You will need your PIN or password you received when you placed the security freeze to identify yourself to the credit reporting agencies. The credit bureaus are required to lift the freeze within three days of receiving your request.

Who can see my report while my file is frozen?

Your existing creditors may still be able to access your credit report for the purposes of collecting the debt, account maintenance, monitoring, credit line increases or account upgrades and enhancements. Private collection agencies are allowed to access your report to assist in the collection of existing debt. Other exceptions include government agencies, potential employers and insurance providers.

You are also allowed to request a copy of your own report while your files are frozen.

Did You Know?

Identity theft is the fastest growing crime in America.

Beginning January 1, 2017, parents or legal guardians may request a security freeze for children under the age of 16 at the time of the request. The credit reporting agencies are required to place the freeze on the child's record, regardless of whether the agency previously had a credit report file on the child.

You may be required to submit proof that you are the child's parent or legal guardian.

Visit the credit reporting agencies at the links below to learn more about how to place a security freeze for a minor child:

• Equifax
• Experian
• TransUnion

Did You Know?

Identity theft is the fastest growing crime in America.