STAND. COM. REP. NO. 919

 

Honolulu, Hawaii

                  

 

RE:    H.B. No. 678

       H.D. 3

       S.D. 1

 

 

 

Honorable Shan S. Tsutsui

President of the Senate

Twenty-Sixth State Legislature

Regular Session of 2011

State of Hawaii

 

Sir:

 

     Your Committees on Economic Development and Technology and Commerce and Consumer Protection and Judiciary and Labor, to which was referred H.B. No. 678, H.D. 3, entitled:

 

"A BILL FOR AN ACT RELATING TO INFORMATION,"

 

beg leave to report as follows:

 

     The purpose and intent of this measure is to:

 

     (1)  Require any government agency responsible for a security breach to pay for the costs of providing each person whose personal information was disclosed with, at a minimum, a three-year subscription to a nationwide consumer reporting agency's services;

 

     (2)  Amend the definition of "security breach" to include any incident of inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information; and

 

     (3)  Include a recipient of a security breach notification to those residents entitled to free security freeze services from a consumer credit reporting agency.

 

     Your Committees received testimony in support of this measure from the Imua Alliance.  Your Committees received testimony in opposition to this measure from the City and County of Honolulu Department of Human Resources; American Council of Life Insurers; Consumer Data Industry Association; State Privacy and Security Coalition, Inc.; Retail Merchants of Hawaii; Hawaii Medical Service Association; and one individual.  Your Committees received comments on this measure from the Department of Accounting and General Services, Department of the Attorney General, and Department of Commerce and Consumer Affairs Office of Consumer Protection.

 

     Your Committees previously heard two measures, S.B. No. 796 and S.B. No. 1162, which contained comparable and additional information security provisions.  Your Committees have amended this measure by deleting its contents and replacing them with the language in S.B. No. 796, S.D. 2, and S.B. No. 1162, S.D. 2.  As amended, this measure:

 

     (1)  Contains a findings and purpose section;

 

     (2)  Requires any government agency that maintains personal information systems to include mandatory training programs for any agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted;

 

     (3)  Requires a business that maintains personal information about residents of Hawaii to implement a comprehensive written information security program;

 

     (4)  Adds a definition of "credit reporting agency" and amends the definition of "security breach" to include any incident of inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information;

 

     (5)  Requires a notice of security breach to include toll-free contact telephone numbers and addresses for the major credit reporting agencies;

 

     (6)  Requires a government agency to submit a written report to the Information Privacy and Security Council, in addition to the Legislature, within twenty days after discovery of a security breach at the government agency;

 

     (7)  Requires the Information Privacy and Security Council to be responsible for coordinating the implementation of security breach guidelines by government agencies;

 

     (8)  Includes a victim of a security breach among those residents entitled to free security freeze services from a consumer credit reporting agency;

 

     (9)  Appropriates unspecified funds in support of the Information Privacy and Security Council for positions, security tools, maintenance, and licenses, including software and enhanced web applications;

 

    (10)  Amends the effective date from July 1, 2030, to July 1, 2050, to allow for further discussion; and

 

    (11)  Makes technical, nonsubstantive amendments for the purposes of clarity and consistency.

 

     Your Committees note that government agencies and businesses have raised concerns regarding the expanded definition of "security breach" and the private sector continues to have concerns regarding the notice requirement.  Your Committees understand that efforts are underway to determine how best to address those concerns and urge the parties to continue to work with the Legislature regarding further amendments to this measure.

 

     As affirmed by the records of votes of the members of your Committees on Economic Development and Technology and Commerce and Consumer Protection and Judiciary and Labor that are attached to this report, your Committees are in accord with the intent and purpose of H.B. No. 678, H.D. 3, as amended herein, and recommend that it pass Second Reading in the form attached hereto as H.B. No. 678, H.D. 3, S.D. 1, and be referred to the Committee on Ways and Means.

 

Respectfully submitted on behalf of the members of the Committees on Economic Development and Technology and Commerce and Consumer Protection and Judiciary and Labor,

 

____________________________ ROSALYN H. BAKER, Chair		____________________________ CAROL FUKUNAGA, Chair
		____________________________ CLAYTON HEE, Chair