Cybersecurity

A number of provisions related to cybersecurity have been considered by the Legislature in recent years, while many other states introduced and enacted cybersecurity measures of their own. An overview of these activities follows.

Kansas Legislation

SB 454 (2020)

SB 454, as amended by the Senate Committee on Ethics, Elections and Local Government, would have added cybersecurity assessments, cybersecurity plans, and cybersecurity vulnerabilities to the list of exceptions to disclosure in the Kansas Open Records Act (KORA). The bill also would have defined these three new terms. The bill was passed by the Senate, but no action was taken by the House Committee on Elections. As introduced, the bill contained provisions related to election security that were removed by the Senate Committee.

HB 2209 (2019–enacted)

HB 2209, among other provisions related to insurance, allows the Kansas Board of Regents (KBOR) to purchase cybersecurity insurance. The bill allows KBOR to purchase such insurance as it deems necessary to protect student records, labor information, and other statutorily protected data KBOR maintains, independent of the Committee on Surety Bonds and Insurance, and without complying with purchasing procedures of the Department of Administration. The term “cybersecurity insurance” includes, but is not limited to, first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking, and liability coverage guaranteeing compensation for damages from errors, such as the failure to safeguard data.

House Sub. for SB 56 (2018–enacted)

House Sub. for SB 56 created the Kansas Cybersecurity Act (Act). The legislation established the position of Chief Information Security Officer (CISO) and the Kansas Information Security Office (KISO) within the Office of Information Technology Services (OITS) to administer the Act and perform various functions related to cybersecurity for executive branch agencies. The definition of “executive branch agency” excludes elected office agencies, the Kansas Public Employees Retirement System, Regents institutions, the State Board of Regents, and the Adjutant General’s Department. Executive branch agency heads are solely responsible for the security of all data and information technology resources under the agency’s purview through various measures and procedures. Executive branch agencies have the discretion to pay for cybersecurity services from existing budgets, from grants or other revenues, or through special assessments to offset costs. Any increase in fees or charges due to the Act, including cybersecurity fees charged by the KISO, are to be fixed by rules and regulations adopted by the agency and can only be used for cybersecurity.

Sub. for HB 2331 (2017)

Sub. for HB 2331 would have enacted the Representative Jim Morrison Cybersecurity Act. The bill was based on the previous year’s HB 2509 in that it would have created the KISO and established the position of CISO in statute.

The bill would have also established the Kansas Information Technology Enterprise (KITE), which would have consolidated functions of OITS and transferred current OITS employees and officers to KITE.

The House Committee on Government, Technology, and Security introduced HB 2331 during the 2017 Legislative Session. The House Committee recommended a substitute bill be passed that would have included various amendments to the original contents of 2017 HB 2331, as well as an amended version of 2017 HB 2359 (relating to the creation of KITE). After passing the House Committee of the Whole, the bill was referred to the Senate Committee on Ways and Means. The Senate Committee heard testimony on the bill, but did not take any further action during the 2017 or 2018 Legislative Sessions.

Other States’ Legislation

In 2020, 38 states and Puerto Rico considered more than 280 bills or resolutions related to cybersecurity. According to the National Conference of State Legislatures, common cybersecurity legislation categories included:

• Requiring implementation of training or specific types of security policies and practices to improve incidence response and preparedness;
• Increasing penalties for digital crime or addressing specific crimes such as the use of ransomware (malicious software that limits computer function until a fee has been paid);
• Regulating cybersecurity within the insurance industry or addressing cybersecurity insurance;
• Creating cybersecurity commissions, task forces, or studies; and
• Supporting programs for cybersecurity training and education.

For more information on other states’ recent cybersecurity legislation, see https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2020.aspx.