50-7a01. Consumer information; security breach; definitions. As used in K.S.A. 2021 Supp. 50-7a01 and 50-7a02, and amendments thereto:
(a) "Consumer" means an individual who is a resident of this state.
(b) "Encrypted" means transformation of data through the use of algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.
(c) "Notice" means:
(1) Written notice;
(2) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001; or
(3) substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or that the individual or the commercial entity does not have sufficient contact information to provide notice.
(d) "Redact" means alteration or truncation of data such that no more than the following are accessible as part of the personal information:
(1) Five digits of a social security number; or
(2) the last four digits of a driver's license number, state identification card number or account number.
(e) "Substitute notice" means:
(1) E-mail notice if the individual or the commercial entity has e-mail addresses for the affected class of consumers;
(2) conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains a web site; and
(3) notification to major statewide media.
(f) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency or other entity.
(g) "Personal information" means a consumer's first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted:
(1) Social security number;
(2) driver's license number or state identification card number; or
(3) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account. The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
(h) "Security breach" means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.
History: L. 2006, ch. 149, § 3; July 1.