Kansas Statutes 50-6,139b. Requirements for holders of personal information
Terms Used In Kansas Statutes 50-6,139b
- Consumer: means an individual, husband and wife, sole proprietor, or family partnership who seeks or acquires property or services for personal, family, household, business or agricultural purposes. See Kansas Statutes 50-624
- Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
- Evidence: Information presented in testimony or in documents that is used to persuade the fact finder (judge or jury) to decide the case for one side or the other.
- Fraud: Intentional deception resulting in injury to another.
- Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
- Partnership: A voluntary contract between two or more persons to pool some or all of their assets into a business, with the agreement that there will be a proportional sharing of profits and losses.
- Person: means any individual, corporation, government, governmental subdivision or agency, business trust, estate, trust, partnership, association, cooperative or other legal entity. See Kansas Statutes 50-624
- State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Kansas Statutes 77-201
- Statute: A law passed by a legislature.
(a) As used in this section:
(1) “Holder of personal information” or “holder” means a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.
(2) “Person” means any individual, partnership, corporation, trust, estate, cooperative, association, government, governmental subdivision or agency or other entity.
(3) “Personal information” means personal information as defined by Kan. Stat. Ann. § 50-7a01(g), and amendments thereto, and any other information which identifies an individual for which an information security obligation is imposed by federal or state statute or regulation.
(4) “Record” has the meaning provided by Kan. Stat. Ann. § 84-1-201, and amendments thereto.
(b) A holder of personal information shall:
(1) Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. If federal or state law or regulation governs the procedures and practices of the holder of personal information for such protection of personal information, then compliance with such federal or state law or regulation shall be deemed compliance with this paragraph and failure to comply with such federal or state law or regulation shall be prima facie evidence of a violation of this paragraph; and
(2) unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records within such holder’s custody or control containing any person’s personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.
(c) A holder of personal information shall have an affirmative defense to a violation of subsection (b)(2) if such holder proves by clear and convincing evidence that:
(1) The violation resulted from a failure of the method of destruction of records to make personal information contained in such records unreadable or undecipherable through any means, and such failure could not reasonably have been foreseen despite the holder’s exercise of reasonable care in selecting and employing a method of destruction; or
(2) the holder of personal information had in effect at the time of the violation a bona fide written or electronic records management policy, including practices and procedures reasonably designed, maintained, and expected to prevent a violation of subsection (b)(2), and that the records involved in the violation of subsection (b)(2) were destroyed or disposed of in violation of such policy. No affirmative defense under this paragraph shall be available unless such holder proves:
(A) The employees or other persons involved in the violation received training in the holder’s written or electronic records management policy;
(B) the violation resulted from a good faith error; and
(C) no reasonable likelihood exists that the violation may cause, enable or contribute to identity theft or identity fraud as defined by Kan. Stat. Ann. § 21-6107, and amendments thereto, or to a violation of an information security obligation imposed by federal or state statute or regulation.
(d) Each violation of this section shall be an unconscionable act or practice in violation of Kan. Stat. Ann. § 50-627, and amendments thereto. Each record that is not destroyed in compliance with subsection (b)(2) shall constitute a separate unconscionable act within the meaning of Kan. Stat. Ann. § 50-627, and amendments thereto.
(e) Notwithstanding any other provision of law to the contrary, the exclusive authority to bring an action for any violation of this section shall be with the attorney general. Nothing in this section shall be construed to create or permit a private cause of action for any violation of this section.
(f) Nothing in this section relieves a holder of personal information from any duty to comply with other requirements of state and federal law regarding the protection of such information.
(g) This section shall be part of and supplemental to the Kansas consumer protection act.