50-6,139b Requirements for holders of personal information.

KS Stat § 50-6,139b (2018) (N/A)
Copy with citation
Copy as parenthetical citation

50-6,139b. Requirements for holders of personal information. (a) As used in this section:

(1) "Holder of personal information" or "holder" means a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.

(2) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government, governmental subdivision or agency or other entity.

(3) "Personal information" means personal information as defined by K.S.A. 50-7a01(g), and amendments thereto, and any other information which identifies an individual for which an information security obligation is imposed by federal or state statute or regulation.

(4) "Record" has the meaning provided by K.S.A. 84-1-201, and amendments thereto.

(b) A holder of personal information shall:

(1) Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. If federal or state law or regulation governs the procedures and practices of the holder of personal information for such protection of personal information, then compliance with such federal or state law or regulation shall be deemed compliance with this paragraph and failure to comply with such federal or state law or regulation shall be prima facie evidence of a violation of this paragraph; and

(2) unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records within such holder's custody or control containing any person's personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.

(c) A holder of personal information shall have an affirmative defense to a violation of subsection (b)(2) if such holder proves by clear and convincing evidence that:

(1) The violation resulted from a failure of the method of destruction of records to make personal information contained in such records unreadable or undecipherable through any means, and such failure could not reasonably have been foreseen despite the holder's exercise of reasonable care in selecting and employing a method of destruction; or

(2) the holder of personal information had in effect at the time of the violation a bona fide written or electronic records management policy, including practices and procedures reasonably designed, maintained, and expected to prevent a violation of subsection (b)(2), and that the records involved in the violation of subsection (b)(2) were destroyed or disposed of in violation of such policy. No affirmative defense under this paragraph shall be available unless such holder proves:

(A) The employees or other persons involved in the violation received training in the holder's written or electronic records management policy;

(B) the violation resulted from a good faith error; and

(C) no reasonable likelihood exists that the violation may cause, enable or contribute to identity theft or identity fraud as defined by K.S.A. 2018 Supp. 21-6107, and amendments thereto, or to a violation of an information security obligation imposed by federal or state statute or regulation.

(d)  Each violation of this section shall be an unconscionable act or practice in violation of K.S.A. 50-627, and amendments thereto. Each record that is not destroyed in compliance with subsection (b)(2) shall constitute a separate unconscionable act within the meaning of K.S.A. 50-627, and amendments thereto.

(e) Notwithstanding any other provision of law to the contrary, the exclusive authority to bring an action for any violation of this section shall be with the attorney general. Nothing in this section shall be construed to create or permit a private cause of action for any violation of this section.

(f) Nothing in this section relieves a holder of personal information from any duty to comply with other requirements of state and federal law regarding the protection of such information.

(g) This section shall be part of and supplemental to the Kansas consumer protection act.

History: L. 2016, ch. 103, § 2; July 1.