Requires persons, business, or government agencies who maintain personal information in computerized form to notify persons to whom the information relates of a breach of the security of the information. Authorizes attorney general to take legal action to enforce notice requirement.

A BILL FOR AN ACT

SECTION 1. Chapter 481B, Hawaii Revised Statutes, is amended by adding a new part to be appropriately designated and to read as follows:

"Part   . breach of security OF PERSONAL INFORMATION

§481B-A Definitions. As used in this part:

"Consumer" means an individual who is a resident of this State.

"Consumer reporting agency" has the meaning ascribed to it in 15 U.S.C. Sec. 1681a(f).

"Notice" means:

"Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government, or the State, any political subdivision of the State, or any board, agency, instrumentality, public corporation, or other governmental organization of the State or of any political subdivision of the State or other entity.

"Personal information" means a consumer's first name or first initial and last name linked to any one or more of the following data elements that relate to the resident, when the data elements are neither encrypted nor redacted:

The term "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

"Security breach":

"Substitute notice" includes all of the following:

§481B-B Security breach notification. (a) A person that conducts business in this State, or a government, governmental subdivision, agency, or entity that owns or licenses computerized data that includes personal information shall give notice to a resident of this State of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the consumer whose unencrypted or unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and that causes, or the person reasonably believes has caused or will cause, identity theft or other fraud to any resident of this State. Notification shall be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(b) A person or a commercial entity that maintains computerized data that includes personal information that the person or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the personal information was, or is reasonably believed to have been, access and acquired by an unauthorized person.

(c) Notice required by this subchapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this part shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

(d) Notwithstanding any other provision in this part, a person or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this part, is deemed to be in compliance with the notice requirements of this part if the person or the commercial entity notifies affected residents of this State in accordance with its policies in the event of a breach of security of the system.

(e) If a person or a commercial entity that is regulated by state or federal law provides greater protection to personal information than that provided by this part in regard to the subjects addressed by this part, compliance with that state or federal law is deemed compliance with this part with regard to those subjects. This section does not relieve an individual or a commercial entity from a duty to comply with other requirements of state and federal law regarding the protection and privacy of personal information.

(f) In the event that a person discovers circumstances requiring notification pursuant to this part of more than one thousand persons at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. §1681a(p), of the timing, distribution, and content of the notices.

§481B-C Violations; remedies. The attorney general is empowered to bring an action in law or equity to address any violation of this part and for other relief that may be appropriate. The provisions of this part are not exclusive and do not relieve a person or a commercial entity subject to this part from compliance with all other applicable provisions of law."

SECTION 2. In codifying the new sections added by section 1 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.

SECTION 3. This Act shall take effect upon its approval.