TOPEKA – (May 19, 2016) – Businesses and others who routinely collect personal information about their customers or employees will be required to use at least basic safeguards to protect that information from identity thieves under a new law signed this week by the governor, Attorney General Derek Schmidt said.
House Bill 2460, signed into law on Tuesday, requires businesses, government agencies and others that collect and hold personal information about customers or others to exercise “reasonable care” to prevent the information in their possession from being improperly disclosed to identity thieves or anybody else.
“For better and for worse, we live in a time when information truly is power,” Schmidt said. “All sorts of businesses and government entities, big and small, collect volumes of information about people that is supposed to be kept private. This new statute guarantees there is legal remedy available to the attorney general’s office when entities that collect that kind of information disregard their duty to handle it properly to prevent unauthorized disclosure.”
The new statute requires that holders of other people’s personal information have procedures and policies in place to prevent unauthorized disclosure of that information and exercise reasonable care in protecting it. It also specifically requires that when records containing personal information no longer are to be retained, they must be properly and securely destroyed so personal information cannot be retrieved and used by identity thieves or others.
Schmidt, who proposed the new statute and worked with legislators, businesses and other interested parties in crafting it, said the bill was motivated by investigations his office has conducted of businesses that collect personal information about consumers and then dispose of it carelessly. In two cases his office successfully litigated, businesses disposed of boxes full of paper records containing personal information by leaving them in or near unsecured near trash bins and waiting for ordinary trash pickup. In a third case, however, the same conduct could not be litigated because the old state statute was poorly written and did not explicitly cover the conduct, even though the risk of identity theft was equally severe.
“In a world where identity thieves go to great lengths to gain access to consumers’ personal information, it’s not too much to require that businesses, government entities and others that collect people’s personal information for proper purposes be required to use reasonable care to prevent its improper disclosure to crooks and criminals,” Schmidt said.
Schmidt noted identity theft is one of the fastest growing categories of crime in the United States.
The new statute takes effect July 1. A copy is available at http://bit.ly/1WFj9WZ.