50-6,139b. Requirements for holders of personal information. (a) As used in this section:
(1) "Holder of personal information" or "holder" means a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.
(2) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government, governmental subdivision or agency or other entity.
(3) "Personal information" means personal information as defined by K.S.A. 50-7a01(g), and amendments thereto, and any other information which identifies an individual for which an information security obligation is imposed by federal or state statute or regulation.
(4) "Record" has the meaning provided by K.S.A. 84-1-201, and amendments thereto.
(b) A holder of personal information shall:
(1) Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. If federal or state law or regulation governs the procedures and practices of the holder of personal information for such protection of personal information, then compliance with such federal or state law or regulation shall be deemed compliance with this paragraph and failure to comply with such federal or state law or regulation shall be prima facie evidence of a violation of this paragraph; and
(2) unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records within such holder's custody or control containing any person's personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.
(c) A holder of personal information shall have an affirmative defense to a violation of subsection (b)(2) if such holder proves by clear and convincing evidence that:
(1) The violation resulted from a failure of the method of destruction of records to make personal information contained in such records unreadable or undecipherable through any means, and such failure could not reasonably have been foreseen despite the holder's exercise of reasonable care in selecting and employing a method of destruction; or
(2) the holder of personal information had in effect at the time of the violation a bona fide written or electronic records management policy, including practices and procedures reasonably designed, maintained, and expected to prevent a violation of subsection (b)(2), and that the records involved in the violation of subsection (b)(2) were destroyed or disposed of in violation of such policy. No affirmative defense under this paragraph shall be available unless such holder proves:
(A) The employees or other persons involved in the violation received training in the holder's written or electronic records management policy;
(B) the violation resulted from a good faith error; and
(C) no reasonable likelihood exists that the violation may cause, enable or contribute to identity theft or identity fraud as defined by K.S.A. 2018 Supp. 21-6107, and amendments thereto, or to a violation of an information security obligation imposed by federal or state statute or regulation.
(d) Each violation of this section shall be an unconscionable act or practice in violation of K.S.A. 50-627, and amendments thereto. Each record that is not destroyed in compliance with subsection (b)(2) shall constitute a separate unconscionable act within the meaning of K.S.A. 50-627, and amendments thereto.
(e) Notwithstanding any other provision of law to the contrary, the exclusive authority to bring an action for any violation of this section shall be with the attorney general. Nothing in this section shall be construed to create or permit a private cause of action for any violation of this section.
(f) Nothing in this section relieves a holder of personal information from any duty to comply with other requirements of state and federal law regarding the protection of such information.
(g) This section shall be part of and supplemental to the Kansas consumer protection act.
History: L. 2016, ch. 103, § 2; July 1.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.