Hawaii Security Breach of Personal Information
Haw. Rev. Stat. § 487N-1 - § 487N-7
SUMMARY:
EFFECTIVE. January 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any business or government agency that owns or licenses Personal Information regarding Hawaii residents in any form whether or not it conducts business in Hawaii; and (2) any person or entity that conducts business in Hawaii and maintains information containing Personal Information on state residents that it does not own or license, including government agencies.
WHAT IS A BREACH. Any unauthorized access to and acquisition of unencrypted or unredacted records or data containing Personal Information that creates risk of harm to an individual. Any unauthorized access to and acquisition of encrypted records or data containing Personal Information together with access codes is also a breach. A good faith acquisition of Personal Information by an employee or agent of the owner for internal lawful purposes only is not a breach, if it is not subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted:
-
Social Security Number.
-
Driver’s license number or Hawaii identification card number.
-
Account number, credit card or debit card number, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected. The notice shall be clear and conspicuous and include the following:
-
A description of the incident in general terms.
-
The type of Personal Information that was accessed or acquired.
-
Action taken to protect the Personal Information from further unauthorized access.
-
A telephone number that affected individuals may call for further information if one exists.
-
Direction to continue to monitor account statements and free credit reports.
If more than 1,000 individuals are to receive notice, the business shall also notify in writing all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice. Such notice must be made without unreasonable delay.
EXCEPTION. This Section does not apply to the following:
-
A financial institution that is subject to the Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice, the FDIC, the Office of the Comptroller of the Currency and the Office of Thrift Supervision, or subject to 12 CFR Part 748, are considered in compliance with this Section.
-
Any health care plan or provider that is subject to and in compliance with: the standards for privacy or identifiable health information, and the Health Insurance Portability and Accountability Act of 1996 are considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent following discovery or notification a breach. The disclosure shall be made without unreasonable delay consistent with measures necessary to determine the scope of the breach, to identify the individual affected and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation or jeopardize national security and is requested by law enforcement. Such request must be documented in writing to include the name of the officer making the request and the agency conducting the investigation. In that instance, notification will be made without unreasonable delay following clearance by law enforcement.
Within 20 days after discovery of a breach, a governmental agency is required to submit a written report to the legislature that includes:
-
Information regarding the nature of the breach.
-
A copy of the notice.
-
The number of individuals to whom notice was sent.
-
Whether notice was delayed due to law enforcement considerations.
-
Any procedures implemented to prevent a future breach.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic (provided it is directly with the affected individual).
-
Electronic (if it is the primary means of communication and consistent with 15 U.S.C. § 7001).
-
Substitute notice as provided below.
Any waiver of the provisions of this Section is considered contrary to public policy and is void and unenforceable.
SUBSTITUTE NOTICE AVAILABLE. If a business or governmental agency can demonstrate that the cost of providing notice will exceed $100,000, the affected class of persons to be notified exceeds 200,000, or it has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the business or agency has an Email address for the individual(s) subject to the notice;
-
Conspicuous posting of the notice on the website of the business or governmental agency; and
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a business maintains data or records that include Personal Information that such business does not own, then it shall notify the owner or licensee immediately upon discovery of a breach, consistent with the needs of law enforcement. The business or governmental agency that owns or licenses the computerized data shall provide notice to the individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. (a) Any business which violates any provision of this Section is subject to penalties of up to $2,500 for each violation. The Attorney General or the executive director of the Office of Consumer Protection may bring an action against a business to enforce this Section, but not against a governmental agency; (b) In addition to any penalty resulting from an action brought by way of subsection (a) above, a business is also liable to an injured individual for any actual damages sustained by them plus any attorneys’ fees awarded by the court. Again, no such action may be brought against a governmental agency; and (c) The penalties provided in this Section are in addition to any remedies or penalties available under Hawaii State law.
PRIVATE RIGHT OF ACTION.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Haw. Rev. Stat. §§ 487R-1 - 487R-3. §487R-2 Destruction of personal information records. (a) Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. [§487R-3] Penalties; civil action. Any business that violates any provision shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action. In addition to any penalty, any business that violates any provision shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court may award reasonable attorneys' fees to the prevailing party. The penalties shall be cumulative to the remedies or penalties available under all other laws of this State.
LEGISLATIVE UPDATES.
S.B. 2290 – Signed into law on 5/25/2006, Effective 1/1/2007.
S.B. 2402 – Signed into law on 4/17/2008, Effective 4/17/2008.
For more information, see here: https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-.htm
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.