Several statutory sections address data-security and privacy obligations under Kansas law.  The primary section governing data-security and breach-notification obligations is Kan. Stat. Ann. § 50-7a01, et seq.

The Kansas Consumer Protection Act, Kan. Stat. Ann. § 50-6,139b, also imposes data-retention and related obligations on holders of “personal information.”

Kansas’s breach-notification law protects “personal information,” which is defined as a consumer’s first and last name or first initial and last name plus one or more of the following data elements: (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account number or credit card number alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. Kan. Stat. Ann. § 50-7a01(g); Kan. Stat. Ann. § 50-6,139b(a)(3).  “Personal information” does not include “publicly available information that is lawfully made available to the general public from federal, state or local government records.”  Kan. Stat. Ann. § 50-7a01(g).  

Kansas’s breach notification obligations apply to any “person that conducts business in [Kansas], or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information.”  Kan. Stat. Ann. § 50-7a02(a).  Kansas’s Consumer-Protection Act’s data-security obligations apply to all “holders” of personal information.  A “holder” is “a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.  Kan. Stat. Ann. § 50-6,139b(a)(1).  

There are no specific regulations governing the collection of personal data in Kansas.  The Kansas Attorney General has exclusive authority to bring an action for violation of data-security obligations set forth in Kan. Stat. Ann. § 50-6,139b, et seq.  Except for violations by insurance companies, the Kansas Attorney General is also empowered, though not exclusively, to bring actions for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq.  For breach-notification violations by an insurance company, enforcement authority is vested solely in the Kansas Insurance Commissioner. Kan. Stat. Ann. § 50-7a02(h). Courts have noted that whether a private cause of action exists for breach-notification violations under Kan. Stat. Ann. § 50-7a01, et seq. is ambiguous.  See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014) (denying a motion to dismiss).  

A holder of personal information must “maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use modification or disclosure.”  Kan. Stat. Ann. 50-6,139b(b).

Unless otherwise required by federal law or regulation, a holder of personal information must “take reasonable steps to destroy or arrange for the destruction of any records within such holder’s custody or control containing any person’s personal information when such holder no longer intends to maintain or possess such records.”  Kan. Stat. Ann. § 50-6,139b(b)(2).  The statute provides that destruction must be by “shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.”  Id.

N/A

N/A

If, after a prompt and reasonable investigation, the owner or licensor of personal information determines that the data has been accessed and acquired and is reasonably likely to be “misused,” the breached entity must give “notice as soon as possible to the affected Kansas resident.  Notice must be made in the most expedient time possible and without unreasonable delay,” consistent with law-enforcement needs. Kan. Stat. Ann. § 50-7a02(a). The notice must be given to all affected Kansas residents. Id. An individual or commercial entity that maintains data that includes personal information that the individual or entity does not own or license must notify the owner or licensee of the information following a data breach if the personal information is reasonably believed to have been accessed and acquired by an unauthorized person. Kan. Stat. Ann § 50-7a02(b). See also Kan. Stat. Ann. § 72-6318 for similar notification obligations relating to student data. See also Kan. Stat. Ann. § 75-7240 for responsibilities of Kansas executive branch agency heads.

The Kansas Attorney General and the Kansas Insurance Commissioner.  See our answer to "How is the collection of personal data regulated?".

For violations of Kansas’s breach-notification law, the Attorney General may bring an action in law or in equity “and for other relief that may be appropriate.” Kan. Stat. Ann. § 50-7a02(g). This remedy is “not-exclusive” and may allow for private causes of action to address violations. See id. See also In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1169 (D. Minn. 2014). Each record that is “not destroyed” in compliance with Kansas’s data-retention law is “a separate unconscionable act” under Kansas’s Consumer-Protection Act and subject to civil penalties under that section. Kan. Stat. Ann. § 50-6,139b(d).

Kansas has adopted the Commercial Electronic Mail Act, which prohibits the transmission of certain forms of “commercial electronic mail” from either a computer located in Kansas or to a resident the sender knows is a Kansas resident. Kan. Stat. Ann. § 50-6,107(c).  Violators of this section are subject to civil penalties of “not less than USD $500 nor more than USD $10,000 for each such violation.”  Kan. Stat. Ann. § 50-6,107(j).

N/A