CHAPTER 54
Senate Bill No. 44
An Act concerning financial institutions; relating to cybersecurity; enacting the Kansas financial institutions information security act; requiring certain covered entities to protect customer information; authorizing the state bank commissioner to adopt rules and regulations; providing penalties for violations of such act.
Be it enacted by the Legislature of the State of Kansas:
Section 1. (a) Sections 1 through 4, and amendments thereto, shall be known and may be cited as the Kansas financial institutions information security act.
(b) The purpose of the Kansas financial institutions information security act is to establish information security standards for any covered entity consistent with 16 C.F.R. § 314, as in effect on July 1, 2023.
(c) The Kansas financial institutions information security act applies to the handling of customer information by the following covered entities: (1) Credit services organizations, as defined in K.S.A. 50-1117, and amendments thereto; (2) mortgage companies, as defined in K.S.A. 9-2201, and amendments thereto; (3) supervised lenders, as defined in K.S.A. 16a-1-301, and amendments thereto; (4) financial institutions engaging in money transmission, as defined in K.S.A. 9-508, and amendments thereto; (5) trust companies, as defined in K.S.A. 9-701, and amendments thereto; and (6) technology-enabled fiduciary financial institutions, as defined in K.S.A. 9-2301, and amendments thereto.
(d) The commissioner may adopt all rules and regulations necessary to govern and administer the provisions of the Kansas financial institutions information security act.
(e) The Kansas financial institutions information security act shall be a part of and supplemental to chapter 9 of the Kansas Statutes Annotated, and amendments thereto.
Sec. 2. As used in the Kansas financial institutions information security act:
(a) “Commissioner” means the state bank commissioner or the commissioner’s designee.
(b) “Covered entity” means each person, applicant, registrant or licensee subject to regulation by the office of the state bank commissioner that is not directly regulated by a federal banking agency.
(c) “Customer information” means any record containing nonpublic personal information about a customer of a covered entity, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the covered entity or its affiliates.
Sec. 3. A covered entity shall:
(a) Set forth standards for developing, implementing and maintaining reasonable safeguards to protect the security, confidentiality and integrity of customer information pursuant to 16 C.F.R. § 314, as in effect on July 1, 2023;
(b) develop and organize its information security program into one or more readily accessible parts; and
(c) maintain its information security program as part of the covered entity’s books and records in accordance with the record retention requirements of such covered entity.
Sec. 4. (a) The Kansas financial institutions information security act shall be implemented, administered and enforced by the commissioner.
(b) (1) The commissioner may conduct:
(A) Routine examinations of the operations of a covered entity; or
(B) investigations of the operations of the covered entity if the commissioner has reason to believe that the covered entity has been engaged or is engaging in any conduct in violation of the Kansas financial institutions information security act.
(2) In furtherance of an investigation or examination, or while enforcing the provisions of the Kansas financial institutions information security act, the commissioner may take such action that is necessary and appropriate, including, but not limited to, the following:
(A) Issue subpoenas and seek enforcement thereof in a court of competent jurisdiction;
(B) assess fines or civil penalties on a covered entity not to exceed $5,000 per violation and assess costs of the investigation, examination or enforcement action;
(C) censure a covered entity if such covered entity is registered or licensed;
(D) enter into a memorandum of understanding or consent order with a covered entity;
(E) issue a summary order to a covered entity;
(F) revoke, suspend or refuse to renew the registration or licensure of a covered entity;
(G) order a covered entity to cease and desist from engaging in any conduct in violation of the Kansas financial institutions information security act or file for an injunction to prohibit the covered entity from continuing such conduct; or
(H) issue emergency orders if necessary to prevent harm to consumers.
(c) Any enforcement action required or requested under the Kansas financial institutions information security act shall be conducted in accordance with the Kansas administrative procedure act, K.S.A. 77-501 et seq., and amendments thereto.
(d) Any enforcement action required or requested under the Kansas financial institutions information security act shall be subject to review in accordance with the Kansas judicial review act, K.S.A. 77-601 et seq., and amendments thereto.
Sec. 5. This act shall take effect and be in force from and after its publication in the Kansas register.
Approved April 20, 2023.
Published in the Kansas Register April 27, 2023.