Implements measures to assist in the prevention of identity theft.

A BILL FOR AN ACT

SECTION 1. The Hawaii Revised Statutes is amended by adding to title 26 a new chapter to be appropriately designated and to read as follows:

"CHAPTER

§   -1 Purpose. The Federal Trade Commission recently determined that between October 1998 and September 2003, more than 27.3 million Americans have been victims of identity theft, resulting in billions of dollars of losses to consumers. The purpose of this chapter is to protect Hawaii consumers from identity theft or those who may become victims of identity theft by allowing them to (1) place a security freeze on their credit reports, (2) require that sensitive personal and financial data be secured physically during both storage and transit and electronically at all times by means including but not limited to strong encryption, firewalls, strictly limited access and the use of hashed values instead of real data for personal identifiers; and all other means that may become best practices within the data processing industry, (3) require notification when personal information may be compromised, and (4) prohibit companies from sharing or selling data without consumer consent. This security freeze will prohibit a credit reporting agency from releasing any information to unauthorized parties without the consumer's expressed consent and provide consumers more control over who has access to their credit report. Requiring sensitive financial data to be encrypted and protected would help reduce the incidence of data loss and the usefulness of stolen or lost data. Prohibiting companies from sharing or selling data without express consumer consent allows consumers the choice to restrict the proliferation of their personal information, reducing the chances for identity theft. This chapter is designed to will effectively prevent identity thieves from continuing to secure credit in a victim's name.

§   -2 Definitions. When used in this chapter, unless the context otherwise requires:

"Commercial institution" means any organization doing business or having a nexus within the State of Hawaii, including credit reporting agencies.

"Credit reporting agency" means any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer credit reports to third parties, but does not include any governmental agency whose records are maintained primarily for law enforcement or licensing purposes.

"Customer" means any person that is a resident of or is domiciled in this state and which has transacted or is transacting business with or has used or is using the services of a financial institution, or for which a financial institution has acted as a fiduciary with respect to trust property.

"Customer information" means either of the following:

Any original or any copy of any records held by a financial institution pertaining to a customer's relationship with the financial institution.

Any information derived from a record described in this definition.

"Federal institution regulatory agency" means any of the following: the federal deposit insurance corporation, the federal savings and loan insurance corporation, the national credit union administration, the federal reserve board, the United States comptroller of the currency, the federal home loan bank board, and the department of commerce and consumer affairs.

"Governmental agency" means any agency or department of this state, or any authorized officer, employee, or agent of an agency or department of this state.

"Identity theft" means the unauthorized use of another person's identifying information to obtain credit, goods, services, money, or property.

"Law enforcement agency" means any agency or department of this state or of any political subdivision of this state authorized by law to enforce the law and to conduct or engage in investigations or prosecutions for violations of law.

§ -3 Protection of personal and customer information. A person or business that acquires, owns, licenses or possesses personal or customer information about a Hawaii resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal and customer information from unauthorized access, destruction, use, modification, or disclosure of personal and customer information. Security procedures shall include, but shall not be limited to, physical security, such as locks or security guards, during both storage and transit and electronically at all times by means including strong encryption, firewalls, strictly limited access and the use of hashed values instead of real data for personal identifiers; and all other means that may become best practices within the data processing industry.

§ -4 Damages. Any person or business that acquires, owns or licenses personal or customer information shall be strictly liable for damages a customer suffers as a result of a violation of this part.

§ -5 Notice. (a) Any person or business that acquires, owns or licenses data that includes personal or customer information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of Hawaii whose unencrypted personal or customer information was, or is reasonably believed to have been, acquired by an unauthorized person.

(b) The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Any person or business that maintains data including personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) Notification under this section is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.

(e) For purposes of this section, notice may be provided by one of the following methods:

(1) Written notice;

(2) Electronic mail notice, if the notice provided is

(3) Substitute notice, if the person or business

demonstrates that:

(i) The cost of providing notice would exceed

two hundred fifty thousand dollars;

(ii) The affected class of persons to be notified

exceeds five hundred thousand; or

(iii)The person or business does not have

sufficient contact information.

(f) Substitute notice shall consist of all of the following:

(3) Notification by statewide media.

(g) Notwithstanding subsection (e) of this section, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies affected persons in accordance with its policies in the event of a breach of the security of the system.

§ -6 Exemptions. (a) The provisions of this part do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this part.

(b) Compliance with the state or federal law shall be deemed compliance with this part with regard to the subjects covered by this part.

(c) This section does not relieve a person or business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.

§ -7 Waiver. Any waiver of a provision of this subchapter is contrary to public policy, void, and unenforceable.

§ -8 Penalty. A violation of this part constitutes an unfair and deceptive trade practice.

§ -9 Limitations. A person or business may retain personal or customer information for business use. The information retained shall be only that which is absolutely necessary for the purposes of the business.

§ -10 Damages. Any person or business that retains personal or customer information shall be strictly liable for damages a customer suffers as a result of a violation of this part."

SECTION 2. If any provision of this Act, or the application thereof to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of the Act, which can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun, before its effective date.

SECTION 4. This Act shall take effect on October 1, 2006.