Implements measures to assist in the prevention of identity theft.

A BILL FOR AN ACT

SECTION 1. The Hawaii Revised Statutes is amended by adding to title 26 a new chapter to be appropriately designated and to read as follows:

"CHAPTER

§   -1 Purpose. The Federal Trade Commission recently determined that between October 1998 and September 2003, more than 27.3 million Americans have been victims of identity theft, resulting in billions of dollars of losses to consumers. The purpose of this chapter is to protect Hawaii consumers who are victims of identity theft by allowing them to (1) place a security freeze on their credit reports, (2) require that sensitive financial data be encrypted, (3) require notification when personal information may be compromised, and (4) prohibit companies from sharing or selling data without consumer consent. This security freeze will prohibit a credit reporting agency from releasing any information to unauthorized parties without the consumer's expressed consent and provide consumers more control over who has access to their credit report. Requiring sensitive financial data to be encrypted would help reduce the usefulness of stolen or lost data. Prohibiting companies from sharing or selling data without express consumer consent allows consumers the choice to restrict the proliferation of their personal information, reducing the chances for identity theft. This chapter will effectively prevent identity thieves from continuing to secure credit in a victim's name.

§   -2 Definitions. When used in this chapter, unless the context otherwise requires:

"Credit report" means any written, oral, or other communication of any credit information by a credit reporting agency, as defined in the federal Fair Credit Reporting Act, which operates or maintains a database of consumer credit information bearing on a consumer's credit worthiness, credit standing, or credit capacity.

"Credit reporting agency" means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer credit reports to third parties, but does not include any governmental agency whose records are maintained primarily for law enforcement or licensing purposes.

"Customer" means any person that is a resident of or is domiciled in this state and which has transacted or is transacting business with or has used or is using the services of a financial institution, or for which a financial institution has acted as a fiduciary with respect to trust property.

"Customer information" means either of the following:

Any original or any copy of any records held by a financial institution pertaining to a customer's relationship with the financial institution.

Any information derived from a record described in this definition.

"Federal institution regulatory agency" means any of the following: the federal deposit insurance corporation, the federal savings and loan insurance corporation, the national credit union administration, the federal reserve board, the United States comptroller of the currency, the federal home loan bank board, and the department of commerce and consumer affairs.

"Governmental agency" means any agency or department of this state, or any authorized officer, employee, or agent of an agency or department of this state.

"Identity theft" means the unauthorized use of another person's identifying information to obtain credit, goods, services, money, or property.

"Law enforcement agency" means any agency or department of this state or of any political subdivision of this state authorized by law to enforce the law and to conduct or engage in investigations or prosecutions for violations of law.

"Security freeze" means a notice placed in a credit report, at the request of the consumer who is a victim of identity theft.

§   -3 Security freeze by credit reporting agency. (a) A consumer who has been the victim of identity theft may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a credit reporting agency with a valid copy of a police report, investigative report, or complaint the consumer has filed with a law enforcement agency about the unlawful use of the consumer's personal information by another person. A credit reporting agency shall not charge a fee for placing or removing a security freeze on a credit report. A security freeze shall prohibit the credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer. When a security freeze is in place, information from a consumer's credit report shall not be released to a third party without prior express authorization from the consumer. This subsection does not prevent a credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

(b) A credit reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written request from the consumer.

(c) The credit reporting agency shall send a written confirmation of the security freeze to the consumer within ten business days of placing the security freeze and shall provide the consumer with a unique personal identification number or password, other than the consumer's social security number, to be used by the consumer when providing authorization for the release of the consumer's credit to a specific party or parties, or for a specific period of time.

(d) If the consumer wishes to allow access to the consumer's credit report by a specific party or parties, or for a specific period of time while the freeze is in place, the consumer shall contact the credit reporting agency, request that the freeze be temporarily lifted, and provide the following:

(e) A credit reporting agency may develop procedures involving the use of telephone, facsimile, the internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report in an expedited manner.

(f) A credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.

(g) A credit reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:

If a credit reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this subsection, the credit reporting agency shall notify the consumer in writing prior to removing the freeze.

(h) If a third party requests access to a credit report for which a security freeze is in effect and this request is in connection with an application for credit or any other use and the consumer does not allow the consumer's credit report to be accessed by that specific party or for that period of time, the third party may treat the application as incomplete.

(i) If a consumer requests a security freeze, the credit reporting agency shall disclose to the consumer the process of placing and temporarily lifting a security freeze and the process for allowing access to information from the consumer's credit report by a specific party or parties, or for a specific period of time while the security freeze is in place.

(j) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer who provides both of the following:

(k) A credit reporting agency shall require clear and proper identification of the person making a request to place or remove a security freeze.

(l) This section, including the security freeze, shall not apply to the use of a consumer report by the following:

§   -4 Credit reporting agency duties if security freeze in place. If a security freeze is in place, a credit reporting agency shall not change any of the following official information in a credit report without sending a written confirmation of the change to the consumer within thirty days of the change being posted to the consumer's file: name, date of birth, social security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and the former address.

§   -5 Persons not required to place security freeze. The requirement under this chapter to place a security freeze on a credit report does not apply to:

§ -6 Duty of confidentiality. (a) A financial institution may not disclose customer information to any person, governmental agency, or law enforcement agency unless the disclosure is made in accordance with any of the following:

(3) To a governmental agency or law enforcement

§ -7 Consent. (a) No consent or waiver shall be required as a condition of doing business with any financial institution, and any consent or waiver obtained from a customer as a condition of doing business with a financial institution shall not be deemed a consent of the customer for purposes of this chapter.

(b) A valid consent must be in writing and signed by the customer. In consenting to disclosure of customer information, a customer may specify any of the following:

(1) The time during which such consent will operate;

(2) The customer information to be disclosed; and

(3) The persons, governmental agencies, or law

§ -8 Government access. (a) A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to either of the following:

(1) The consent of the customer, in accordance with

this chapter; or

(b) A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to a judicial or administrative subpoena duces tecum served on the financial institution, if there is no reason to believe the customer information sought is relevant to a proper law enforcement objective or is otherwise authorized by law.

(c) A governmental agency or law enforcement agency may obtain customer information from a financial institution pursuant to a search warrant if it obtains the search warrant pursuant to the rules of criminal procedure of this state. Examination of the customer information may occur as soon as it is reasonably practicable after the warrant is served on the financial institution.

§ -9 Suspicion of unlawful conduct. (a) Nothing in this chapter precludes a financial institution from initiating contact with, and thereafter communicating with and disclosing customer information to, a law enforcement agency when the financial institution reasonably believes that the customer about whom such information pertains:

(1) Is engaged in unlawful activity; or,

(2) Is defrauding the financial institution.

(b) Conviction of the customer or admission by the customer shall be conclusive of the reasonableness of the disclosure for purposes of this section.

(c) The burden is on the financial institution to show that at the time the disclosure was made, the disclosure was reasonable for the purposes of this section.

§ -10 Cost reimbursement. Any governmental agency, law enforcement agency, or person requiring or requesting access to customer information shall pay to the financial institution that assembles or provides the customer information a fee for reimbursement of reasonable necessary costs which have been directly incurred by the financial institution. A financial institution must deliver the customer information as soon as reasonably possible notwithstanding any dispute concerning the amount of reimbursement due under this section. A separate action may be maintained by the financial institution against the governmental agency, law enforcement agency, or person requiring or requesting access for recovery of reasonable reimbursement. The financial institution may not charge the legislative auditor for customer information requested when performing an audit; however, the financial institution may charge the entity being audited by the legislative auditor for the information required.

§ -11 Joint marketing agreements – consent. A financial institution must have a customer's consent before the financial institution may disclose the customer's information to a nonaffiliated third party under a joint marketing agreement as provided under section 502(b)(2) of the federal Financial Services Modernization Act of 1999.

§ -12 Exemptions. This part does not apply to any of the following:

(a) The disclosure of necessary customer information in the preparation, examination, handling, or maintenance of any customer information by any officer, employee, or agent of a financial institution having custody of such information or in the examination of such necessary information by an accountant engaged by the financial institution to perform an audit.

(b) The disclosure of necessary customer information in the examination of any customer information by or the furnishing of customer information to any officer, employee, or agent of a financial institution regulatory agency solely for use in the exercise of that person's duties.

(c) The publication of data derived from customer information if the data cannot be identified to any particular customer or account.

(d) Any acts required of the financial institution by the Internal Revenue Code.

(e) Disclosures permitted under the Uniform Commercial Code concerning the dishonor of any negotiable instrument.

(f) The exchange in the regular course of business of necessary customer credit information between a financial institution and other financial institutions or commercial entities, directly or indirectly through a customer reporting agency.

(g) The disclosure of customer information in the examination, handling, or maintenance of any customer information by any governmental agency or law enforcement agency for purposes of verifying information necessary in the licensing process, provided prior consent is obtained form the licensee and customer.

(h) The disclosure of customer information to a law enforcement agency or governmental agency pursuant to a search warrant or subpoena duces tecum issued in accordance with applicable statutes or court rules.

§ -13 Protection of personal and customer information. A person or business that acquires, owns, or licenses personal or customer information about a Hawaii resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal and customer information from unauthorized access, destruction, use, modification, or disclosure, including, but not limited to encryption of personal and customer information stored electronically or on magnetic media.

§ -14 Notice. (a) Any person or business that acquires, owns or licenses computerized data that includes personal or customer information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Hawaii whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(b) The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) Notification under this section is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.

(e) For purposes of this section, notice may be provided by one of the following methods:

(1) Written notice;

(2) Electronic mail notice, if the notice provided is

(3) Substitute notice, if the person or business

demonstrates that:

(i) The cost of providing notice would exceed

two hundred fifty thousand dollars;

(ii) The affected class of persons to be notified

exceeds five hundred thousand; or

(iii)The person or business does not have

sufficient contact information.

(f) Substitute notice shall consist of all of the following:

(3) Notification by statewide media.

(g) Notwithstanding subsection (e) of this section, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies affected persons in accordance with its policies in the event of a breach of the security of the system.

§ -15 Exemptions. (a) The provisions of this part do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this part.

(b) Compliance with the state or federal law shall be deemed compliance with this part with regard to the subjects covered by this part.

(c) This section does not relieve a person or business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.

§ -16 Waiver. Any waiver of a provision of this subchapter is contrary to public policy, void, and unenforceable.

§   -17 Violation; penalties. Any person who violates any provision of this chapter shall be deemed to have engaged in an unfair or deceptive act or practice in the conduct of trade or commerce within the meaning of section 480-2."

SECTION 2. If any provision of this Act, or the application thereof to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of the Act, which can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

SECTION 3. This Act shall take effect on October 1, 2006.