Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- attorney general may bring an action

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are specific considerations when determining if a breach is reportable.
  • Notifications may only be given by specific methods.
  • If notification is required to more than 1,000 persons, all consumer reporting agencies must be notified with specific information without unreasonable delay.
  • A covered entity must provide an individual or such individual’s personal representative with access to the individual’s protected health information.
  • A covered entity must implement and maintain appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.
  • For violations of security breach statute by an insurance company licensed to do business in this state, the Insurance Commissioner shall have the sole enforcement authority.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification, but the vendor is still required to cooperate.
  • If your breach affects residents in other states, you will need to notify those residents using those states’ rules.
STatutes and LAWS
  • K.S. § 50-7a Protection of Consumer Information
  • K.S. § 50-6,139b Requirements for holders of personal information
  • K.S. § 50-669a Prohibiting the taking of personal information when using a credit card
  • K.S. § 50-669b Prohibiting printing of credit card or debit card account numbers on receipts
  • K.S. § 65-6824 Health Care Data – Same; duties of covered entity
  • K.S. § 40-2425 Personal identifier; use of social security number prohibited
BAck to map