50-7a01. Consumer information; security breach; definitions.

50-7a01

Chapter 50.--UNFAIR TRADE AND CONSUMER PROTECTION
Article 7a.--PROTECTION OF CONSUMER INFORMATION

      50-7a01.   Consumer information; security breach;definitions.As used inK.S.A. 2009 Supp.50-7a01 and 50-7a02, and amendments thereto:

      (a)   "Consumer" means an individual who is a resident of this state.

      (b)   "Encrypted" means transformation of data through the use of algorithmicprocess into a form in which there is a low probability of assigning meaningwithout the use of a confidential process or key, or securing the informationby another method that renders the data elements unreadable or unusable.

      (c)   "Notice" means:

      (1)   Written notice;

      (2)   electronic notice, if the notice provided is consistent with theprovisionsregardingelectronicrecords and signatures set forth in 15 U.S.C. 7001; or

      (3)   substitute notice, if the individual or the commercial entity required toprovide noticedemonstrates that the cost of providing notice will exceed $100,000, or thatthe affected class of consumersto be notified exceeds 5,000, or that the individual orthe commercial entity doesnot have sufficient contact information to provide notice.

      (d)   "Redact" means alteration or truncation of data such that no more thanthe following are accessible as part of the personal information:

      (1)   Five digits of a social security number; or

      (2)   the last four digits of a driver's license number, state identificationcard number or account number.

      (e)   "Substitute notice" means:

      (1)   E-mail notice if the individual or the commercial entity hase-mail addresses for theaffected class of consumers;

      (2)   conspicuous posting of the notice on the web site page of the individualor thecommercial entity if the individual or the commercial entity maintains a website; and

      (3)   notification to major statewide media.

      (f)   "Person" means any individual,partnership, corporation, trust, estate,cooperative, association,government, or governmental subdivision or agency or other entity.

      (g)   "Personal information" means a consumer's first name or firstinitial and last name linkedto any oneor more of the following data elements that relate to the consumer, when thedata elements are neitherencrypted nor redacted:

      (1)   Social security number;

      (2)   driver's license number or state identification card number; or

      (3)   financial account number, or credit or debit card number, alone or incombination with any requiredsecurity code, access code or password that would permit access to a consumer'sfinancial account. The term "personal information" does not include publiclyavailable information that islawfullymade available to the general public from federal, state or local governmentrecords.

      (h)   "Security breach" means theunauthorized access and acquisition of unencrypted or unredactedcomputerized data that compromises the security, confidentiality or integrityof personal informationmaintained by an individual or a commercial entity and that causes, or suchindividual or entity reasonably believes hascaused or will cause, identity theft to any consumer. Good faithacquisition of personal information by an employee or agent of an individual ora commercial entity forthe purposes ofthe individual or the commercial entity is not a breach of the security of thesystem, provided that thepersonal information is not used for or is not subject to further unauthorizeddisclosure.

      History:   L. 2006, ch. 149, § 3; July 1.