Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expeditious manner possible and without unreasonable delay
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to persons or businesses that conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after reasonable and prompt investigation, misuse of covered info has not and is not reasonably likely to occur.
Unauthorized access and acquisition that compromises the security, confidentiality, or integrity of the covered info that the covered entity reasonably believes has caused or will cause identity theft to a resident, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted or otherwise secured by any method in such a way that it is unreadable or unusable.
Form of Covered Info
First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; or financial account, credit card, or debit card number, alone or in combination with any required security or access code or password that would permit access to a resident's financial account.
Consumer Notice Timing
Must be made in most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Content of notice undefined.
Notification may be delayed if law enforcement determines that notification will impede a criminal investigation.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must, without unreasonable delay, notify all nationwide Consumer Reporting Agencies of timing, distribution, and content of the notices.
Exceptions for Other Laws
An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidance or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section. This section does not relieve an individual or a commercial entity from a duty to comply with other requirements of state and federal law regarding the protection and privacy of personal information.
If you maintain covered info on behalf of another entity, you must notify it following discovery of a breach if covered info was or is reasonably believed to have been accessed and acquired by an unauthorized person.
Private Right of Action
The Kansas statute does not provide for a private right of action.
Violations may result in civil penalties.