(a) Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

Terms Used In Hawaii Revised Statutes 487N-2

  • Business: means a sole proprietorship, partnership, corporation, association, or other group, however organized, and whether or not organized to operate at a profit. See Hawaii Revised Statutes 487N-1
  • Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
  • Discovery: Lawyers' examination, before trial, of facts and documents in possession of the opponents to help the lawyers prepare for trial.
  • Federal Reserve System: The central bank of the United States. The Fed, as it is commonly called, regulates the U.S. monetary and financial system. The Federal Reserve System is composed of a central governmental agency in Washington, D.C. (the Board of Governors) and twelve regional Federal Reserve Banks in major cities throughout the United States. Source: OCC
  • Government agency: means any department, division, board, commission, public corporation, or other agency or instrumentality of the State or of any county. See Hawaii Revised Statutes 487N-1
  • Personal information: means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

    (1) Social security number;

    (2) Driver's license number or Hawaii identification card number; or

    (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account. See Hawaii Revised Statutes 487N-1

  • Records: means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. See Hawaii Revised Statutes 487N-1
  • Security breach: means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. See Hawaii Revised Statutes 487N-1
(b) Any business located in Hawaii or any business that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c).
(c) The notice required by this section shall be delayed if a law enforcement agency informs the business or government agency that notification may impede a criminal investigation or jeopardize national security and requests a delay; provided that such request is made in writing, or the business or government agency documents the request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business or government agency its determination that notice will no longer impede the investigation or jeopardize national security.
(d) The notice shall be clear and conspicuous. The notice shall include a description of the following:

(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and acquisition;
(3) The general acts of the business or government agency to protect the personal information from further unauthorized access;
(4) A telephone number that the person may call for further information and assistance, if one exists; and
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(e) For purposes of this section, notice to affected persons may be provided by one of the following methods:

(1) Written notice to the last available address the business or government agency has on record;
(2) Electronic mail notice, for those persons for whom a business or government agency has a valid electronic mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001;
(3) Telephonic notice, provided that contact is made directly with the affected persons; and
(4) Substitute notice, if the business or government agency demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business or government agency does not have sufficient contact information or consent to satisfy paragraph (1), (2), or (3), for only those affected persons without sufficient contact information or consent, or if the business or government agency is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:

(A) Electronic mail notice when the business or government agency has an electronic mail address for the subject persons;
(B) Conspicuous posting of the notice on the website page of the business or government agency, if one is maintained; and
(C) Notification to major statewide media.
(f) In the event a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify in writing, without unreasonable delay, the State of Hawaii’s office of consumer protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
(g) The following businesses shall be deemed to be in compliance with this section:

(1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and
(2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.
(h) Any waiver of the provisions of this section is contrary to public policy and is void and unenforceable.

  Previous
Next  
 Chapter 487N Contents