50-7a02. Security breach; requirements.
50-7a02
50-7a02. Security breach; requirements.(a) A person that conducts business in this state, or agovernment, governmental subdivision or agency that owns or licensescomputerized data that includes personal information shall, when it becomesaware of any breach of the security of the system, conduct in good faith areasonable and prompt investigation to determine the likelihood that personalinformation has been or will be misused. If the investigation determines thatthe misuse of information has occurred or is reasonably likely to occur, theperson or government, governmental subdivision or agency shall give notice assoon as possible to the affected Kansas resident. Notice must be made in themost expedient time possible and without unreasonable delay, consistent withthe legitimate needs of law enforcement and consistent with any measuresnecessary to determine the scope of the breach and to restore the reasonableintegrity of the computerized data system.
(b) An individual or a commercial entity that maintainscomputerized data that includes personalinformation that the individual or the commercial entity does not own orlicense shall give notice to theowner or licensee of the information of any breach of the security of the datafollowing discovery of abreach, if the personal information was, or is reasonably believed to havebeen, accessed and acquired byan unauthorized person.
(c) Notice required by this section may be delayed if a law enforcementagency determinesthat the notice will impede a criminal investigation. Notice required by thissection shall be made ingood faith, without unreasonable delay and as soon as possible after the lawenforcement agencydetermines that notification will no longer impede the investigation.
(d) Notwithstanding any other provision in thissection, an individual or a commercial entitythat maintains its own notification procedures as part of an informationsecurity policy for the treatmentof personal information, and whose procedures are otherwise consistent with thetiming requirements ofthis section, is deemed to be in compliance with the notice requirements ofthis section if theindividual or the commercial entity notifies affected consumersin accordance with its policiesin the event of a breach of security of the system.
(e) An individual or a commercial entity that is regulated by state orfederal lawand that maintains procedures for a breach of the security of the systempursuant to the laws, rules, regulations, guidances or guidelines establishedby its primary or functional state or federal regulator is deemed to be incompliance with this section.This section does not relieve an individual or a commercial entity from aduty to comply with other requirements of state and federal law regarding theprotection and privacy of personal information.
(f) In the event that a person discovers circumstancesrequiringnotification pursuant to thissection of more than 1,000 consumers at one time, the person shall also notify,without unreasonabledelay, all consumer reporting agencies that compile and maintain files onconsumers on a nationwidebasis, as defined by 15 U.S.C. § 1681a(p), of thetiming, distribution and content of the notices.
(g) For violations of this section, except as to insurance companies licensedto do business in this state, the attorney general is empowered to bring anaction in law or equity to address violations of this section and for otherrelief that may be appropriate. The provisions of this section are notexclusive and do not relieve an individual or a commercial entity subject tothis section from compliance with all other applicable provisions of law.
(h) For violations of this section by an insurance company licensed to dobusiness in this state, the insurance commissioner shall have the soleauthority to enforce the provisions of this section.
History: L. 2006, ch. 149, § 4; July 1.