Kansas Financial Institutions Information Security Act

2025 Kansas Consumer & Mortgage Lending Law Book KANSAS STATUTES Chapter 9 – BANKS AND BANKING; TRUST COMPANIES Kansas Financial Institutions Information Security Act – Page 1 Article 5 – MISCELLANEOUS PROVISIONS Kansas Financial Institutions Information Security Act (K.S.A. 9-551 – K.S.A. 9-554) 9-551 Applicability of Act. 9-552 Definitions. 9-553 Information security requirements. 9-554 Powers and duties of the commissioner; enforcement and review.

2025 Kansas Consumer & Mortgage Lending Law Book KANSAS STATUTES Chapter 9 – BANKS AND BANKING; TRUST COMPANIES Kansas Financial Institutions Information Security Act – Page 2 Article 5 – MISCELLANEOUS PROVISIONS KANSAS FINANCIAL INSTITUTIONS INFORMATION SECURITY ACT K.S.A. 9-551 – K.S.A. 9-554 K.S.A. 9-551. Applicability of Act. (a) K.S.A. 2024 Supp. 9-551 through 9-554, and amendments thereto, shall be known and may be cited as the Kansas financial institutions information security act. (b) The purpose of the Kansas financial institutions information security act is to establish information security standards for any covered entity consistent with 16 C.F.R. § 314, as in effect on July 1, 2023. (c) The Kansas financial institutions information security act applies to the handling of customer information by the following covered entities: (1) Credit services organizations, as defined in K.S.A. 50-1117, and amendments thereto; (2) mortgage companies, as defined in K.S.A. 9-2201, and amendments thereto; (3) supervised lenders, as defined in K.S.A. 16a-1-301, and amendments thereto; (4) financial institutions engaging in money transmission, as defined in K.S.A. 9-508, and amendments thereto; (5) trust companies, as defined in K.S.A. 9-701, and amendments thereto; and (6) technology-enabled fiduciary financial institutions, as defined in K.S.A. 9-2301, and amendments thereto. (d) The commissioner may adopt all rules and regulations necessary to govern and administer the provisions of the Kansas financial institutions information security act. (e) The Kansas financial institutions information security act shall be a part of and supplemental to chapter 9 of the Kansas Statutes Annotated, and amendments thereto. History: L. 2023, ch. 54, § 1; April 27. K.S.A. 9-552. Definitions. As used in the Kansas financial institutions information security act: (a) "Commissioner" means the state bank commissioner or the commissioners designee. (b) "Covered entity" means each person, applicant, registrant or licensee subject to regulation by the office of the state bank commissioner that is not directly regulated by a federal banking agency.

Kansas Financial Institutions Information Security Act – Page 3 (c) "Customer information" means any record containing nonpublic personal information about a customer of a covered entity, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the covered entity or its affiliates. History: L. 2023, ch. 54, § 2; April 27. K.S.A. 9-553. Information security requirements. A covered entity shall: (a) Set forth standards for developing, implementing and maintaining reasonable safeguards to protect the security, confidentiality and integrity of customer information pursuant to 16 C.F.R. § 314, as in effect on July 1, 2023; (b) develop and organize its information security program into one or more readily accessible parts; and (c) maintain its information security program as part of the covered entity's books and records in accordance with the record retention requirements of such covered entity. History: L. 2023, ch. 54, § 3; April 27. K.S.A. 9-554. Powers and duties of the commissioner; enforcement and review. (a) The Kansas financial institutions information security act shall be implemented, administered and enforced by the commissioner. (b) (1) The commissioner may conduct: (A) Routine examinations of the operations of a covered entity; or (B) investigations of the operations of the covered entity if the commissioner has reason to believe that the covered entity has been engaged or is engaging in any conduct in violation of the Kansas financial institutions information security act. (2) In furtherance of an investigation or examination, or while enforcing the provisions of the Kansas financial institutions information security act, the commissioner may take such action that is necessary and appropriate, including, but not limited to, the following: (A) Issue subpoenas and seek enforcement thereof in a court of competent jurisdiction;

Kansas Financial Institutions Information Security Act – Page 4 (B) assess fines or civil penalties on a covered entity not to exceed $5,000 per violation and assess costs of the investigation, examination or enforcement action; (C) censure a covered entity if such covered entity is registered or licensed; (D) enter into a memorandum of understanding or consent order with a covered entity; (E) issue a summary order to a covered entity; (F) revoke, suspend or refuse to renew the registration or licensure of a covered entity; (G) order a covered entity to cease and desist from engaging in any conduct in violation of the Kansas financial institutions information security act or file for an injunction to prohibit the covered entity from continuing such conduct; or (H) issue emergency orders if necessary to prevent harm to consumers. (c) Any enforcement action required or requested under the Kansas financial institutions information security act shall be conducted in accordance with the Kansas administrative procedure act, K.S.A. 77-501 et seq., and amendments thereto. (d) Any enforcement action required or requested under the Kansas financial institutions information security act shall be subject to review in accordance with the Kansas judicial review act, K.S.A. 77-601 et seq., and amendments thereto. History: L. 2023, ch. 54, § 4; April 27.