SB2803 HD1

PART I

SECTION 1. The purpose of this Act is to implement the recommendations of the December 2007 report of the Hawaii identity theft task force to protect the security of personal information collected and maintained by state and county government agencies.

PART II

SECTION 2. Chapter 487J, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:

"§487J-A Policy and oversight responsibility. (a) By September 1, 2009, each government agency shall designate an agency employee to have policy and oversight responsibilities for the protection of personal information.

(b) The designated agency employee shall:

(1) Ensure and coordinate agency compliance with this chapter, chapter 487N, and chapter 487R;

(2) Assist individuals who have identity theft and other privacy-related concerns;

(3) Provide education and information to agency staff on privacy and security issues;

(4) Coordinate with state, county, and federal law enforcement agencies on identity theft investigations; and

(5) Recommend policies and practices to protect individual privacy rights relating to the individual's personal information."

SECTION 3. Section 487J-1, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows:

""Personal information" has the same meaning as in section 487N-1."

SECTION 4. Chapter 487N, Hawaii Revised Statutes, is amended by adding three new sections to be appropriately designated and to read as follows:

"§487N-A Information privacy and security council; established; duties; reports. (a) There is established an information privacy and security council within the department of the attorney general for administrative purposes only. Members of the council shall be appointed no later than September 1, 2008, by the governor without regard to section 26‑34 and shall be composed of representatives of state and county agencies.

(b) By January 1, 2009, the council shall submit to the legislature a report of the council's assessment and recommendations on initiatives to mitigate the negative impacts of identity theft incidents on individuals. The report shall emphasize assessing the merits of identity theft passport and identity theft registry initiatives that have been implemented in other states.

(c) No later than June 30, 2009, the council shall develop guidelines to be considered by government agencies in deciding whether, how, and when a government agency shall inform affected individuals of the loss, disclosure, or security breach of personal information that can contribute to identify theft. The guidelines shall provide a standardized, risk-based notification process in the instance of a security breach.

(d) The council shall review the individual annual reports submitted by government agencies, pursuant to section 487N-C and submit a summary report to the legislature no later than twenty days prior to the convening of the regular session of 2010 and each year thereafter. The summary report shall include the council's findings, significant trends, and recommendations to protect personal information used by government agencies.

The initial report to the legislature shall also include proposed legislation to amend section 487N-2 or any other law that the council deems necessary to conform to the guidelines established under subsection (c).

§487N-B Personal information security; best practices; websites. (a) The council shall identify best practices to assist government agencies in improving security and privacy programs relating to personal information. No later than March 31, 2009, the council shall identify best practices relating to:

(1) Automated tools;

(2) Training;

(3) Processes; and

(4) Applicable standards.

(b) No later than July 31, 2009, the best practices identified by the council shall be posted on each government agency's website in a manner that is readily accessible by employees of the government agency.

§487N-C Personal information system; government agencies; annual report. (a) Effective January 1, 2009, any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency's previous annual report. The annual report shall be submitted no later than September 30 of each year.

(b) The annual report shall include:

(1) The name or descriptive title of the personal information system and its location;

(2) The nature and purpose of the personal information system and the statutory or administrative authority for its establishment;

(3) The categories of individuals on whom personal information is maintained, including:

(A) The approximate number of all individuals on whom personal information is maintained; and

(B) The categories of personal information generally maintained in the system, including identification of records that are:

(i) Stored in computer accessible records; or

(ii) Maintained manually;

(4) All confidentiality requirements relating to:

(A) Personal information systems or parts thereof that are confidential pursuant to statute, rule, or contractual obligation; and

(B) Personal information systems maintained on an unrestricted basis;

(5) Detailed justification of the need for statutory or regulatory authority to maintain any personal information system or part thereof on a confidential basis for all personal information systems or parts thereof that are required by law or rule;

(6) The categories of sources of personal information;

(7) The agency's policies and practices regarding personal information storage, duration of retention of information, and elimination of information from the system;

(8) The uses made by the agency of personal information contained in any personal information system;

(9) The identity of agency personnel, by job classification, and other agencies, persons, or categories to whom disclosures of personal information are made or to whom access to the personal information system may be granted, including the purposes of access and any restrictions on disclosure, access, and redisclosure;

(10) A list identifying all forms used by the agency in the collection of personal information; and

(11) The name, title, business address, and telephone number of the individual immediately responsible for complying with this section.

"Personal information system" means any manual or automated recordkeeping process that contains personal information and the name, personal number, or other identifying particulars of a data subject."

SECTION 5. Section 487N-1, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows:

""Council" means the information privacy and security council established under section 487N-A."

SECTION 6. There is appropriated out of the general revenues of the State of Hawaii the sum of $ or so much thereof as may be necessary for fiscal year 2008-2009 for three staff analyst positions to support the work of the information privacy and security council established pursuant to this Act.

The sum appropriated shall be expended by the department of the attorney general for purposes of this part.

PART III

SECTION 7. Act 137, Session Laws of Hawaii 2006, as amended by Act 183, Session Laws of Hawaii 2007, section 11, is amended by amending section 3 to read as follows:

"SECTION 3. This Act shall take effect on July 1, [~~2008.~~] 2009."

PART IV

SECTION 8. Practices and procedures relating to security of laptops, removable data storage devices, and communication devices. By December 31, 2008, the information privacy and security council established under section 487N-A, Hawaii Revised Statutes, in consultation with the information and communication services division of the department of accounting and general services, and the information technology divisions of the respective counties, shall develop recommended practices and procedures to provide guidance to information technology managers in all government agencies relating to the security of laptops, removable data storage devices, and communication devices used to remotely access applications installed on state or county networks. The council shall include recommendations on best practices and standards for protecting personal information that may be used with, stored on, or transmitted by the foregoing devices.

PART V

SECTION 9. Third party personal information use contractual provisions. Effective September 1, 2008, any government agency that contracts with third parties to provide support services on behalf of the agency shall include, in all new or renewed contracts, provisions to protect the use and disclosure of personal information administered by the agency.

Provisions relating to personal information protection in contractual agreements with third parties shall require:

(1) Implementation of technological safeguards acceptable to the government agency to reduce exposure to unauthorized access to personal information;

(2) Mandatory training on security awareness topics relating to personal information protection for employees of the third party;

(3) Confidentiality agreements to be signed by third party employees acknowledging that:

(A) The personal information collected, used, or maintained by the government agency is confidential;

(B) Access to the personal information is restricted to the minimum necessary; and

(C) Use of the personal information is restricted to uses consistent with the services subject to the contractual agreement;

(4) Clarification that no personal information shall be retained or used for a purpose other than that for which it was originally collected by the third party and all copies of personal information records shall be destroyed by the third party at the conclusion of the contract;

(5) Prompt and complete disclosure of security breaches; and

(6) A complete log of disclosures made of the government agency personal information.

As used in this section, "technological safeguards" means the technology and the policy and procedures for use of the technology to protect and control access to personal information.

PART VI

SECTION 10. (a) Guidance on recommended human resources practices to protect personal information. No later than January 1, 2009, the lead state and county government agencies that have primary responsibility for human resource functions shall develop and distribute to the appropriate government agencies written guidelines detailing recommended practices to minimize unauthorized access to personal information and personal information systems relating to personnel recruitment, background checks, testing, employee retirement and health benefits, and time-reporting and payroll issues. The recommended practices shall address, at a minimum:

(1) Physical safeguards for paper and electronic records stored onsite and offsite, as well as for removable storage media that includes laptop computers, USB storage devices, compact discs, and tapes;

(2) Administrative safeguards to control and monitor access to human resources personal information systems; and

(3) Technological safeguards to ensure the confidentiality and integrity of information transmitted over computer networks, laptop computers, and removable storage devices.

(b) Definitions. For the purpose of this part:

"Administrative safeguards" means administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect personal information and to manage the conduct of the workforce in relation to the protection of personal information.

"Physical safeguards" means physical measures, policies, and procedures to protect personal information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

PART VII

SECTION 11. (a) Security breach notification policy. No later than September 1, 2009, all government agencies shall develop a written agency policy relating to notification of any security breach of personal information. The policy shall ensure appropriate safeguards to protect personal information and shall apply to electronic system and paper document records that contain personal information.

The security breach notification policy for government agencies shall consider guidelines established by the information privacy and security council under section 487N-A Hawaii Revised Statutes, and shall include provisions to determine:

(1) Whether security breach notification is required;

(2) The timeliness of the notification;

(3) The source of the notification;

(4) The contents of the notification;

(5) The manner in which notification shall be provided; and

(6) Recipients of notification.

(b) Security breach notification policy review and amendment. No later than September 1, 2009, all government agencies shall submit their security breach notification policy to the attorney general, appropriate corporation counsel, or county attorney for review and comment. A government agency's security breach notification policy shall be promptly amended to incorporate revisions recommended by the attorney general, corporation counsel, or county attorney after review of the security breach notification policy.

Beginning December 31, 2010, government agencies shall review their security breach notification policies by December 31 annually and make amendments as necessary. Information relating to a government agency's security breach notification policy, including any amendments, shall be disseminated to the appropriate employees in each government agency.

PART VIII

SECTION 12. Definitions. For purposes of this Act:

"Government agency" has the same meaning as in section 487N-1, Hawaii Revised Statutes.

"Personal information" has the same meaning as in section 487N-1, Hawaii Revised Statutes.

"Personal information system" means any manual or automated recordkeeping process that contains personal information and the name, personal number, or other identifying particulars of a data subject.

"Records" has the same meaning as in section 487N‑1, Hawaii Revised Statutes.

"Security breach" has the same meaning as in section 487N‑1, Hawaii Revised Statutes.

SECTION 13. In codifying the new sections added by sections 2 and 4 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.

PART IX

SECTION 14. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.

SECTION 15. This Act shall take effect on July 1, 2025.

THE SENATE	S.B. NO.	2803
TWENTY-FOURTH LEGISLATURE, 2008		S.D. 1
STATE OF HAWAII		H.D. 1