STAND. COM. REP. NO. 2532

Honolulu, Hawaii

,

RE: S.B. No. 2290

S.D. 1

 

 

Honorable Robert Bunda

President of the Senate

Twenty-Third State Legislature

Regular Session of 2006

State of Hawaii

Sir:

Your Committees on Commerce, Consumer Protection, and Housing and Media, Arts, Science, and Technology, to which was referred S.B. No. 2290 entitled:

"A BILL FOR AN ACT RELATING TO PROTECTION FROM SECURITY BREACHES,"

beg leave to report as follows:

The purpose of this measure is to require that businesses that experience a security breach notify affected persons of the breach and to add a new chapter to title 26 of the Hawaii Revised Statutes.

Testimony in support of this measure was submitted by the Department of Commerce and Consumer Affairs, the Honolulu Police Department, Hawaii Bankers Association, Consumer Data Industry Association, Hawaii Credit Union League, Retail Merchants of Hawaii, and Hawaii Medical Service Association. The American Council of Life Insurers State Farm Insurance Companies submitted testimony in opposition to this measure. State Farm Insurance Companies submitted comments.

This measure imposes requirements on businesses to protect a person's identity. However, the Department of Commerce and Consumer Affairs recognizes, and your Committees find, that the obligations imposed by this measure should also extend to government agencies in Hawaii.

Your Committees further find that this measure seeks to alleviate the growing plague of identity theft by requiring businesses that maintain records containing resident individuals' personal information to notify an individual whenever the individual's personal information has been compromised by an unauthorized disclosure. This measure will provide clear guidance to businesses as to notification requirements and will protect Hawaii consumers by giving them valuable tools to protect themselves from financial harm once their financial information is compromised.

Your Committees have amended this measure by:

(1) Amending the title of the chapter to "Notification of Security Breaches";

(2) Amending the definition of "security breach" to apply to unencrypted or unredacted records or data, not unencrypted and unredacted;

(3) Clarifying that written notice under this measure is to be sent to the last available address the person, business or government agency has on record;

(4) Clarifying that in the event a business provides notice to more than 1,000 persons at one time pursuant to this measure, the business will notify in writing the Office of Consumer Protection and all consumer reporting agencies of this notice to affected persons;

(5) Strengthening enforcement under this proposed measure by allowing the attorney general or the director of the office of consumer protection to bring an action based on unfair or deceptive acts or practices declared unlawful by this measure; and

(6) Extending the effective date of this measure to January 1, 2007.

As affirmed by the records of votes of the members of your Committees on Commerce, Consumer Protection, and Housing and Media, Arts, Science, and Technology that are attached to this report, your Committees are in accord with the intent and purpose of S.B. No. 2290, as amended herein, and recommend that it pass Second Reading in the form attached hereto as S.B. No. 2290, S.D. 1, and be referred to the Committee on Judiciary and Hawaiian Affairs.

Respectfully submitted on behalf of the members of the Committees on Commerce, Consumer Protection, and Housing and Media, Arts, Science, and Technology,

____________________________

CAROL FUKUNAGA, Chair

____________________________

RON MENOR, Chair