On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as in effect on July 1, 2023. (16 C.F.R. § 314.1 et seq.). The only available exemption from the Act’s requirements is for entities that are directly regulated by a federal banking agency.
The Act requires covered entities in Kansas to create standards regarding the development, implementation, and maintenance of reasonable safeguards to protect the security, confidentiality, and integrity of customer information. For purposes of the Act, “customer information” is broadly defined as “any record containing nonpublic personal information about a customer of a covered entity, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the covered entity or its affiliates.” However, the Act also requires that an entity’s customer information standards be consistent with, and made pursuant to, the GLBA’s Safeguard Rule.
The Safeguard Rule is a regulation stemming from the GLBA that requires non-banking financial institutions to develop, implement, and maintain a comprehensive security program to protect the information of their customers. The Safeguard Rule is currently implementing new requirements, set to become effective on June 9, 2023, which we previously covered in greater detail within the CyberAdviser blog, please see here and here. The Safeguard Rule lays out three main objectives for information security programs: (1) Insure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
As of June 9, those objectives will require applicable companies to, in part: (1) Designate a qualified individual to oversee their information security program; (2) Develop a written risk assessment; (3) Limit and monitor who can access customer information; (4) Encrypt information in transit and at rest; (7) Train security personnel; (6) Develop a written incident response plan; and (8) Implement multifactor authentication whenever anyone accesses customer information. However, the Safeguards Rule does not fully apply to financial institutions that fit within certain exceptions or have primary regulators other than the FTC. Those entities in particular should assess whether the Act may require them to comply with the Safeguard Rule. And, whereas covered entities subject to the FTC’s Safeguards Rule have been working for months if not years to comply, the Kansas Act will require compliance within a matter of months.
Additionally, the Act required covered entities to develop and organize their information security program “into one or more readily accessible parts,” and maintain that program in accordance with the books and record retention requirements of the covered entity. Lastly, the new act provides the Kansas Office of the State Bank Commissioner the discretionary ability to issue regulations to implement the Act.