STAND. COM. REP. NO. 2679

 

Honolulu, Hawaii

                

 

RE:    S.B. No. 2803

       S.D. 1

 

 

 

Honorable Colleen Hanabusa

President of the Senate

Twenty-Fourth State Legislature

Regular Session of 2008

State of Hawaii

 

Madam:

 

     Your Committee on Ways and Means, to which was referred S.B. No. 2803, S.D. 1, entitled:

 

"A BILL FOR AN ACT RELATING TO PERSONAL INFORMATION,"

 

begs leave to report as follows:

 

     The purpose of this measure is to implement the recommendations of the Hawaii Identity Theft Task Force Report of December 2007 to improve the security of personal information collected and maintained by state and county government agencies.

 

     Specifically, the measure:

 

     (1)  Requires each state and county agency to designate an employee to ensure the agency's compliance with requirements relating to the security of personal information;

 

     (2)  Establishes the information and privacy security council to be placed administratively within the Department of the Attorney General and appropriates funds for three staff analyst positions to support the council;

 

     (3)  Changes the effective date of chapter 487J, Hawaii Revised Statutes, relating to social security number protection, to July 1, 2009;

 

     (4)  Requires conditions on third party personal information use to be included in contracts between government agencies and third parties that provide support services on behalf of the agency;

 

     (5) Requires state and county agencies that collect, maintain, or disseminate documents with personal information to:

 

          (A)  Develop and implement a plan to protect the personal information; and

 

          (B)  Develop a written plan to eliminate unnecessary collection and use of social security numbers;

 

     (6)  Requires state and county agencies responsible for human resource functions to develop and distribute to agencies guidelines to minimize unauthorized access to personal information;

 

     (7)  Requires state and government agencies to develop a written policy regarding notification of security breaches of personal information; and

 

     (8)  Defines the terms:  "government agency", "personal information", "personal information system", "records", and "security breach".

 

     The Department of Education, the Retail Merchants of Hawaii, and the Hawaii Financial Services Association submitted testimony in support of the measure.  The Office of the Attorney General and the University of Hawaii submitted testimony in opposition.  The Judiciary and the Consumer Data Industry Association submitted comments.

 

     Your Committee finds that the Hawaii Identity Theft Task Force was originally established within the Department of the Attorney General as the Anti-Phishing Task Force by Act 65, Session Laws of Hawaii 2005.  Act 65 was amended by Act 140, Session Laws of 2006 to change the name to the Identity Theft Task Force, remove the Task Force from the Department of the Attorney General, require the Office of the Auditor to provide research and organizational support services to the Task Force, and extend its existence through December 31, 2007.  Act 140 also added additional members to the Task Force and further directed the Task Force to identify best practices to prevent identity theft and to identify and recommend solutions to issues involving social security number protection.  Act 183, Session Laws of Hawaii 2007, appropriated funds to the Office of the Auditor to further the efforts of the Task Force with continued research and support services to develop deterrents to identity theft.

 

     The Hawaii Identity Theft Task Force Report of December 2007 included twelve recommendations intended to assist state and government agencies in protecting personal information, with an emphasis on the security of social security numbers.  Your Committee notes that the extensive report reflects the concerted efforts and dedication, over a long period of time, of the members of the Task Force.  This measure includes various provisions or requirements intended to safeguard personal information collected and maintained by state and county agencies that were recommended by the Task Force.  However, from testimony submitted to this Committee and as noted in an earlier hearing on this measure, a number of concerns have been raised by various agencies or organizations in connection with the implementation of some of the bill's provisions.  While it is clear that a number of state and county agencies already have taken significant steps to ensure the security of an individual's personal information while in the agency's custody, it is also clear that further precautions may be needed in certain situations.  Your Committee recognizes that some of the security provisions in this measure raise issues that require continued discussions between the parties.

 

     Although your Committee strongly supports the Task Force's position that state and county agencies should implement all necessary and appropriate measures to ensure the security of personal information collected or maintained by those agencies, your Committee also shares the concerns of the parties with some of the provisions in the measure.  Accordingly, your Committee requests the parties to continue discussions on this measure to work out their concerns so that a measure in a form acceptable to all parties can be enacted to protect the residents of the State.

 

     As affirmed by the record of votes of the members of your Committee on Ways and Means that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 2803, S.D. 1, and recommends that it pass Third Reading.

 

Respectfully submitted on behalf of the members of the Committee on Ways and Means,

 

 

 

____________________________

ROSALYN H. BAKER, Chair