SENATE RESOLUTION

REQUESTING THE chief information officer TO CONVENE A WORKING GROUP TO assess existing procedures of NOTIFICATION following the BREACH OF PERSONAL INFORMATION.

     WHEREAS, individual personal information is increasingly stored online or in electronic format; and

     WHEREAS, chapter 487N, Hawaii Revised Statutes, sets outs procedures for state and county government agencies to report to the Legislature certain information after discovery of a security breach; and

     WHEREAS, the information required to be reported includes information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent, whether the notice was delayed due to law enforcement considerations, and any procedures that have been implemented to prevent the breach from reoccurring; and

     WHEREAS, chapter 487N, Hawaii Revised Statutes, also establishes the Information Privacy and Security Council, which is tasked with reviewing annual reports on personal information systems from government agencies and noting findings, significant trends, and recommendations to protect personal information used by government agencies; and

     WHEREAS, despite statutory requirements for notice to be provided and ongoing efforts by the Information Privacy and Security Council to make recommendations to protect personal information used by government agencies, this body finds that further improvements to the notification process are necessary; now, therefore,

     BE IT RESOLVED by the Senate of the Twenty-eighth Legislature of the State of Hawaii, Regular Session of 2015, that the Chief Information Officer is requested to convene a working group to assess the means by which state and county agencies generally notify individuals following a breach of personal information; and

     BE IT FURTHER RESOLVED that the purpose of the working group is to research and report to the Legislature:

     (1)  Notification procedures currently followed when contacting and notifying an individual about the breach of personal information, particularly when the personal information is stored or accessible online;

     (2)  Software or other electronic programs generally used that foster improvement of personal information protection; and

     (3)  Recommendations of amended or new methods to more securely and promptly provide notification; and

     BE IT FURTHER RESOLVED that the working group include the following members:

     (1)  The Chief Information Officer of the Office of Information Management and Technology, who shall serve as the chairperson for the working group;

     (2)  One representative from the Department of Public Safety;

     (3)  One representative from the Information Technology Services Office of the University of Hawaii; and

     (4)  Two individuals with a demonstrated record of knowledge and experience in data or personal information protection to be selected by the Chief Information Officer; and

     BE IT FURTHER RESOLVED that the Chief Information Officer is requested to submit a report of findings and recommendations, including any proposed legislation, to the Legislature no later than twenty days prior to the convening of the Regular Session of 2016; and

     BE IT FURTHER RESOLVED that the working group be dissolved on June 30, 2016; and

     BE IT FURTHER RESOLVED that certified copies of this Resolution be transmitted to the Chief Information Officer of the Office of Information Management and Technology and Director of Public Safety.

Report Title: 

Office of Information Management and Technology; Personal Information; Data Breach; Working Group; Establishment