Legislature, Kelly tackle significant computer security shortcomings at state agencies

New Kansas law mandates swift disclosure of cybersecurity lapses to state IT officials

By: - April 18, 2023 4:54 pm
The U.S. Department of Justice unsealed indictments against Russian security agency employees linked to the computer-system hack of the Wolf Creek nuclear power plant in Burlington, Kansas. (Tim Carpenter/Kansas Reflector)

Kansas Gov. Laura Kelly responded to state audits pointing to weak cybersecurity at state agencies by signing a bill requiring public entities to disclose cybersecurity incidents to state IT administrators within 12 hours of discovery. (Tim Carpenter/Kansas Reflector)

TOPEKA — Gov. Laura Kelly signed into law the Kansas Legislature’s information technology reform bill requiring public entities to disclose cybersecurity incidents within 12 hours of discovery and for government contractors to comply with the disclosure mandate within a 72-hour window.

Cybersecurity incidents at entities maintaining personal information provided by the state or using IT systems operated by the state would have to be shared with the Kansas Information Security Office. In addition, the law directed the executive branch’s chief information security officer to focus more on cybersecurity standards and policies, and make changes to responsibilities at agencies regarding security training, assessment and incident response.

Adoption of reforms followed publication in December 2022 by the Legislature’s post audit division of a review confirming “significant security issues in many systems” with respect to account security, data protection, patching flaws and security and risk assessments. The majority of information from state audits of agency IT problems has been withheld from the public, which left taxpayers without full knowledge of shortcomings.

The Legislature’s auditors did say problems identified in previous reviews weren’t addressed by state agencies. Some issues stemmed from lack of proper oversight and insufficient staff resources, but there also were basic lapses in security training. Entities responsible for government IT systems failed phishing tests and didn’t dispose of sensitive information in a safe manner, auditors said.

Auditors working for the Legislature said 10 of 21 state agencies and school districts assessed during 2022 scored poorly or very poorly on vulnerability tests.

Kelly said she was eager to sign the bill because the bipartisan solution protected privacy and taxpayer dollars while “improving our ability to prevent and respond to cybersecurity attacks.”

“In today’s digital world, it is essential to ensure cybersecurity measures are in place to protect communities across Kansas,” Kelly said.

Jeff Maxon, the state’s interim chief information technology officer, said House Bill 2019 was a meaningful step toward safeguarding state IT data and systems.

“Through mandatory reporting, the bill increases communication between the state and its public and private partners to ensure that we address cybersecurity in a holistic fashion,” Maxon said. “The bill also helps create a cohesive standard for cybersecurity policy across state agencies.”

The law made changes to powers and duties of the Legislature’s joint information technology committee regarding oversight of IT project proposals.

Meanwhile, the Democratic governor signed House Bill 2015 to expand the statute enabling the head of an agency to petition the court for an order requiring infectious disease testing of an employee suspected of being exposed to bodily fluids of another person during the course of work.

The law would permit a designee of an agency leader to apply for court-ordered testing. A section of the bill established a requirement that applications for court-ordered testing include the statement of a licensed physician affirming the tests were required for medical treatment of employees.

The umbrella of agencies covered by the measure would include those engaged in law enforcement, emergency services staff as well as juvenile and adult correctional facilities.

Kelly’s signature placed into law contents of House Bill 2027 to prevent distribution of private property and assets to a person charged with killing or soliciting the killing of a spouse, relative or person associated with the accused through an estate.

Under “Karen’s Law,” probate courts would implement the “slayer rule” to prevent someone accused of killing another to benefit financial by taking possession of property. The law created a procedure by which the court could block the sale, distribution, spending or use of the decedent’s asset or interest by a person who had been arrested for or charged with the felonious killing or procuring the killing of the decedent.

The hold would last until resolution of criminal proceedings for a person arrested or charged in a death. The change blended with existing Kansas law forbidding persons convicted of crimes in a killing from receiving any portion of the estate or property in which the decedent had an interest.

Kelly likewise signed House Bill 2065 to enable a court during a divorce proceeding to change a person’s name to something other than a maiden or married name. In January, a Douglas County District Court judge testified the bill would save personal and judicial resources and provide a reasonable naming alternative for victims of domestic violence and sexual abuse.

The governor also signed House Bill 2020 establishing ground rules for when drivers for transportation network companies, such as Uber and Lyft, would be categorized as independent contracts rather than company employees. Another law, brought about by House Bill 2042, enabled operators of self-storage units to tow away vehicles, boats or trailers left by people who abandoned belongings or failed to pay rent on the units.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Tim Carpenter
Tim Carpenter

Tim Carpenter has reported on Kansas for 35 years. He covered the Capitol for 16 years at the Topeka Capital-Journal and previously worked for the Lawrence Journal-World and United Press International.