Bill Summary – FastDemocracy

SESSION OF 2023
     SUPPLEMENTAL NOTE ON SENATE BILL NO. 44
          As Amended by House Committee of the Whole

Brief*
      SB 44, as amended, would enact the Kansas Financial
Institutions Information Security Act (Act). The bill would
designate covered entities, define terms, outline requirements
for covered entities, and provide for responsibilities of the
State Bank Commissioner under the Act.
    The bill would be in effect upon publication in the
Kansas Register.

Covered Entities
     The Act would apply to the handling of customer
information by the following covered entities:
     ●     Credit services organizations;
     ●     Mortgage companies;
     ●     Supervised lenders (e.g., persons authorized to
           make a consumer loan under the Uniform
           Consumer Credit Code);
     ●     Financial   institutions      engaging      in    money
           transmission;
     ●     Trust companies; and
     ●     Technology-enabled fiduciary financial institutions.
____________________
*Supplemental notes are prepared by the Legislative Research
Department and do not express legislative intent. The supplemental
note and fiscal note for this bill may be accessed on the Internet at
http://www.kslegislature.org
Definitions
    The bill would define terms, including:
    ●    “Commissioner” would mean the State Bank
         Commissioner or the Commissioner’s designee;
    ●    “Covered entity” would mean each person,
         applicant, registrant, or licensee subject to
         regulation by the Office of the State Bank
         Commissioner that is not directly regulated by a
         federal banking agency; and
    ●    “Customer information” would mean any record
         containing nonpublic personal information about a
         customer of a covered entity, whether in paper,
         electronic, or other form, that is handled or
         maintained by or on behalf of the covered entity or
         its affiliates.
Covered Entity Requirements
    The bill would require a covered entity to:
    ●    Set forth standards for developing, implementing,
         and maintaining reasonable safeguards to protect
         the security, confidentiality, and integrity of
         customer information pursuant to the federal
         Standards for Safeguarding Consumer Information
         (16 CFR Part 314);
    ●    Develop and organize its information security
         system into one or more readily accessible parts;
         and
    ●    Maintain the program as part of the covered entity’s
         books and records in accordance with its record
         retention requirements.

                            2- 44
Responsibilities of the State Bank Commissioner
    The bill would specify the Act would be implemented,
administered, and enforced by the Commissioner.
      Under the Act, the Commissioner would be permitted to
conduct routine examinations of the operations of a covered
entity or investigations of its operations if the Commissioner
has reason to believe the covered entity has been engaged
or is engaging in any conduct in violation of the Act.
     In conducting an investigation or examination or while
enforcing the Act, the Commissioner would be able to:
     ●    Issue subpoenas or seek their enforcement in a
          court of competent jurisdiction;
     ●    Assess fines or civil penalties on a covered entity
          not to exceed $5,000 per violation and assess
          costs of the investigation, examination, or
          enforcement activity;
     ●    Censure a covered entity if it is registered or
          licensed;
     ●    Enter into a memorandum of understanding or
          consent order with a covered entity;
     ●    Issue a summary order to a covered entity;
     ●    Revoke, suspend, or refuse to renew               the
          registration or licensure of a covered entity;
     ●    Order a covered entity to cease and desist from
          engaging in any conduct in violation of the Act or
          file an injunction to prohibit the covered entity from
          continuing such conduct; or
     ●    Issue emergency orders if necessary to prevent
          harm to consumers.

                             3- 44
     The bill would also provide that any enforcement action
required or requested under the Act would be conducted in
accordance with the Kansas Administrative Procedure Act
and would be subject to review in accordance with the
Kansas Judicial Review Act.

Background
     The bill was introduced by the Senate Committee on
Financial Institutions and Insurance at the request of the
Office of the State Bank Commissioner (OSBC).

Senate Committee on Financial Institutions and
  Insurance
      In the Senate Committee hearing, a representative of
the OSBC provided proponent testimony, stating the bill
would not increase regulatory burden and would not require
additional employees or examinations. The representative
noted all financial institutions are required to comply with
federal Information Safety Standards, which implement
sections of the Gramm-Leach-Bliley Act and set forth
standards for implementing safeguards designated to protect
the security, confidentiality, and integrity of customer
information. The OSBC has found, during IT examinations,
financial institutions doing business with Kansas consumers
were not fully compliant with the Federal Trade Commission
(FTC) Safeguards Rule.
     Opponent testimony was provided by a representative
of the Kansas Automobile Dealers Association, who stated
the bill would replicate enforcement already in place under
the FTC and asked that automobile dealers be exempted
from the bill.
       The Senate Committee amended the bill to, under the
list of covered entities, replace “financial institutions engaging

                              4- 44
in consumer credit transactions” with “supervised lenders” to
better reflect the institutions covered by the bill.

House Committee on Financial Institutions and Pensions
     In the House Committee hearing, a representative of the
OSBC provided proponent testimony, stating the bill would
cover all entities under the jurisdiction of the State Bank
Commissioner outside of state-chartered banks and wholly-
owned subsidiaries (subject to other information security
regulations) and persons only required to file notification
under the UCCC. No other testimony was provided.
     The House Committee recommended the bill be passed
favorably.

House Committee of the Whole
    The House Committee of the Whole amended the bill to
change its effective date to upon publication in the Kansas
Register.

Fiscal Information
      According to the fiscal note prepared by the Division of
the Budget on the bill, as introduced, the OSBC indicates its
enactment would have no fiscal effect on agency operations
because the agency already performs information technology
examinations of financial entities, which also check for
compliance with the FTC Safeguards Rule. In addition, the
agency indicates it would not generate fine revenues because
financial entities already voluntarily make any necessary
changes to come into compliance with the FTC Safeguards
Rule and the agency expects continued cooperation from the
entities.
     The Kansas Judicial Branch indicates that enactment of
the bill would allow the OSBC to enforce its subpoena power
                            5- 44
in district court, and there would be an increase in time spent
processing and researching cases by judicial and nonjudicial
personnel. The bill could also result in the collection of docket
fees that would be deposited to the State General Fund.
However, the Judicial Branch is unable to estimate a fiscal
effect.
      The Office of the Attorney General indicates the bill
would not have a fiscal effect on its operations. Any fiscal
effect associated with the bill is not reflected in The FY 2024
Governor’s Budget Report.
Financial institutions; Kansas Financial Institutions Information Security Act;
cybersecurity; information security; State Bank Commissioner


                                    6- 44