This website provides general information regarding Kansas and Federal law in this area. It is not to be relied upon as legal advice or guidance. It is important for businesses to determine their obligations and to comply with Kansas and Federal law. For more information regarding Security Breaches, please contact a private attorney.
In 2015, more than 500 data breaches occurred in the United States. A conservative estimate of the number of records affected by those breaches is 160 million.* In the wake of these breaches, business owners and managers across the country are reexamining their Information Security procedures.
Security Breaches affect businesses of all sizes—from the one-owner specialty shop to the largest international banking institutions. Accordingly, both Kansas and Federal laws provide guidance for businesses facing the possibility of a Security Breach. This pamphlet examines the laws regarding Security Breaches and provides tips for avoiding and responding to such breaches.
*Source: Privacy Rights Clearinghouse.
- Computer hackers infiltrating a business’ computerized records containing Personal Information from an undisclosed location.
- A business disposing of records containing Personal Information into a trash dumpster without properly destroying the Personal Information by shredding, erasing, or otherwise modifying the Personal Information in the records to make it unreadable or indecipherable through any means.
- A person stealing an unsecured company laptop containing Personal Information.
Congress and Federal agencies have passed laws and regulations concerning Security Breaches. A few examples of such laws are the Privacy Act, the Federal Information Security Management Act, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act.
Duty to protect Personal Information
Since 2016, Kansas law has required that any person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person shall:
- Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and
- Exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure, and
- Unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records that contain personal information that are within the person’s custody or control when the person no longer intends to maintain or possess such records. Destruction of records shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means. (K.S.A. 50-6,139b.)
Duties in the event of a security breach
In 2006 the State of Kansas erected safeguards designed to limit the damage caused by Security Breaches. K.S.A. 50-7a01 through 50-7a04 contain the relevant definitions and obligations related to Security Breaches in the State of Kansas.
Kansas law requires any person who conducts business in this state that owns or licenses computerized data including personal information to conduct good faith investigations into the likelihood that personal information has been or will be misused when it becomes aware of any breach of the security of the system. (K.S.A. 50-7a02.) If the investigation reveals that Personal Information has been misused, or is likely to be misused, the person must give notice to the affected Kansas resident without unreasonable delay and as soon as possible.
When a Security Breach requires notification of more than 1,000 consumers at a time, Kansas law requires the person to also notify all nationwide consumer reporting agencies of the Security Breach. (K.S.A. 50-7a02.) Keep in mind that law enforcement may determine it best to delay notice to a consumer if it is determined that the notice could impede a criminal investigation.
Develop and implement a strong Information Security Policy
Good provisions for computer hard drives include password protection, encryption, firewall/antivirus software, and other common IT measures designed to limit exposure to a Security Breach. Physical records containing Personal Information should be locked in boxes and kept in secure locations.
Ensure that employees follow the policy
A policy is only effective if it is followed. Each employee should understand and follow the business’s Information Security Policy. The most proactive businesses incorporate job-specific training into the business’ overall employee training regimen.
Scale down
The less personal information around, the less vulnerable a business is to a Security Breach. Consider whether it is necessary for the business to keep credit card numbers and other personal information about customers.
Keep an eye on the laptops
One common Security Breach occurs when an employee leaves a laptop in an unsecured area. To avoid this problem, control access to the business’ laptops and ensure each employee keeps a vigilant watch over the business’ computers. Password protection and encryption can also help with this type of breach.
Properly dispose of Personal Information
Determine the length of time required for the business to maintain its records. If the business decides to dispose of Personal Information, be sure to take reasonable steps to destroy the Personal Information by shredding, erasing, or otherwise modifying the Personal Information in the records to make it unreadable or indecipherable through any means.
- Investigate the breach to determine whether Personal Information has been misused or is reasonably likely to be misused.
- Notify each affected Kansas resident in the most expedient time possible.
- Cooperate with law enforcement to determine whether notice should be delayed in order to avoid interfering with any criminal investigation.
- If circumstances require notifying more than 1,000 consumers at one time, notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notices.
- Consumers whose data has been breached may file a complaint with the attorney general’s office at www.InYourCornerKansas.org.