A BILL FOR AN ACT

RELATING TO INFORMATION.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  Chapter 487N, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:

     "§487N-    Information security program.  (a)  A business that maintains personal information about residents of Hawaii shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of personal information of residents of Hawaii.  The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the business and the nature and scope of its activities.

     (b)  The information security program of a business shall be designed to:

     (1)  Ensure the security and confidentiality of personal information of residents of Hawaii;

     (2)  Protect against any anticipated threats or hazards to the security or integrity of the information; and

     (3)  Protect against unauthorized access to or use of the information that could result in substantial harm to any resident of Hawaii.

     (c)  The business shall train its staff, as appropriate, to implement the security program of the business.

     (d)  This section shall not apply to a financial institution that is subject to the federal Interagency Guidelines Establishing Information Security Standards in 12 C.F.R. Part 748, Appendix A, both as amended from time to time."

     SECTION 2.  Section 487N-1, Hawaii Revised Statutes, is amended as follows:

     1.  By adding a new definition to be appropriately inserted and to read:

     ""Credit reporting agency" means a nationwide consumer credit reporting agency, such as Equifax, Experian, or TransUnion, or any successor entity thereof, that provides consumer credit monitoring and reporting services."

     2.  By amending the definition of "security breach" to read:

     ""Security breach" [means an]:

     (1)  Means:

         (A)  Any incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person[.];

         (B)  Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach[.  Good]; and

         (C)  Any incident of inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information constitutes a security breach; and

     (2)  Does not include good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose [is not a security breach]; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure."

     SECTION 3.  Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (d) to read as follows:

     "(d)  The notice shall be clear and conspicuous.  The notice shall include a description of the following:

     (1)  The incident in general terms;

     (2)  The type of personal information that was subject to the unauthorized access and acquisition;

     (3)  The general acts of the business or government agency to protect the personal information from further unauthorized access;

     (4)  A telephone number that the person may call for further information and assistance, if one exists; [and]

     (5)  Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports[.]; and

     (6)  The toll-free contact telephone numbers and addresses for the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a, and information on how to place a fraud alert or security freeze."

     SECTION 4.  Section 489P-2, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows:

     ""Security breach" has the same meaning as in section 487N‑1."

     SECTION 5.  Section 489P-3, Hawaii Revised Statutes, is amended by amending subsection (a) to read as follows:

     "(a)  Any consumer who is a resident of this State may place a security freeze on the consumer's credit report.  A consumer credit reporting agency shall not charge a victim of identity theft or a security breach a fee for placing, lifting, or removing a security freeze on a credit report but may charge any other consumer a fee not to exceed $5 for each request by the consumer to place, lift, or remove a security freeze from the consumer's credit report.

     A consumer who is a resident of this State and has been the victim of identity theft or a security breach may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency, at an address designated by the agency to receive such requests, with a valid copy of a police report, investigative report, or complaint the consumer has filed with a law enforcement agency about unlawful use of the consumer's personal information by another person.  A consumer who has not been the victim of identity theft or a security breach may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency.

     A security freeze shall prohibit the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.  This subsection shall not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report."

     SECTION 6.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.

     SECTION 7.  Statutory material to be repealed is bracketed and stricken.  New statutory material is underscored.

SECTION 8.  This Act shall take effect on July 1, 2050.

Report Title:

Personal Information; Security Breach

Description:

Requires a business that maintains personal information about residents of Hawaii to implement a comprehensive written information security program; exempts financial institutions subject to certain federal guidelines; requires that a consumer credit reporting agency not charge a victim of identity theft or a security breach a fee for placing, lifting, or removing a security freeze on a credit report.  Effective 7/1/2050.  (SD2)

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.