Kansas Gov. Laura Kelly has approved enactment of Senate Bill 44 which requires certain financial institutions to establish information security standards consistent with the federal Gramm-Leach-Bliley Act’s Safeguards Rule, 16 C.F.R. § 314.1, et seq. The Kansas Financial Institutions Information Security Act becomes effective July 1, 2023.
The Act applies to the following covered entities, as defined by Kansas law:
- Credit services organizations;
- Mortgage companies;
- Supervised lenders;
- Financial institutions engaging in money transmission;
- Trust companies; and
- Technology-enabled fiduciary financial institutions.
Covered entities must:
- Set forth standards for developing, implementing, and maintaining reasonable safeguards to protect the security, confidentiality, and integrity of customer information pursuant to 16 C.F.R. § 314, as in effect on July 1, 2023;
- develop and organize its information security program into one or more readily accessible parts; and
- maintain its information security program as part of the covered entity’s books and records in accordance with the record retention requirements of such covered entity.
The State Bank Commissioner has exclusive authority to implement, administer and enforce the Act, which includes the ability to examine, investigate, and subpoena covered entities. The Commissioner may seek injunctive relief and assess civil penalties not to exceed $5,000 per violation. All enforcement actions are pursuant to the Kansas Administrative Procedure Act.
This legislation is a model of simplicity. Instead of reinventing the wheel with lengthy and potentially controversial legislation, Kansas has taken a commonsense approach by simply requiring that certain regulated entities comply with the Safeguards Rule and providing its state regulator with enforcement authority.