STAND. COM. REP. NO. 1205

 

Honolulu, Hawaii

                  

 

RE:    H.B. No. 678

       H.D. 3

       S.D. 2

 

 

 

Honorable Shan S. Tsutsui

President of the Senate

Twenty-Sixth State Legislature

Regular Session of 2011

State of Hawaii

 

Sir:

 

     Your Committee on Ways and Means, to which was referred H.B. No. 678, H.D. 3, S.D. 1, entitled:

 

"A BILL FOR AN ACT RELATING TO INFORMATION,"

 

begs leave to report as follows:

 

     The purpose and intent of this measure is to strengthen the safeguards against security breaches of personal information.

 

     Specifically, this measure:

 

     (1)  Requires government agencies that maintain personal information systems to include mandatory training programs for agency personnel;

 

     (2)  Requires businesses that maintain personal information to implement an information security program;

 

     (3)  Amends the definition of "security breach" in chapter 487N, Hawaii Revised Statutes, to include any inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information;

 

     (4)  Requires a notice of security breach pursuant to chapter 487N, Hawaii Revised Statutes, to include toll-free contact telephone numbers and addresses for the major credit reporting agencies;

 

     (5)  Requires the information privacy and security council to be responsible for coordinating the implementation of security breach guidelines by government agencies;

 

     (6)  Includes victims of a security breach among those residents entitled to free security freeze services; and

 

     (7)  Appropriates unspecified amounts for the information privacy and security council for positions and security tools.

 

     Your Committee received comments in opposition to this measure from Gary M. Slovin and Mihoko E. Ito on behalf of the Consumer Data Industry Association; Carol Pregill, President, Retail Merchants of Hawaii; and Oren T. Chikamoto, on behalf of the American Council of Life Insurers.

 

     Your Committee finds that it is in the best interests of the residents of the State to prevent security breaches of personal information through enhanced cyber security training and technical solutions.  Your Committee further finds that when security breaches occur, residents of the State should be provided with adequate information and resources to protect their personal information.

 

     Your Committee has amended this measure by:

 

     (1)  Clarifying that any business subject to the federal Interagency Guidelines Establishing Information Security Standards or 12 C.F.R. Part 748, Appendix A, is not subject to the state statutory requirement to implement a comprehensive written information security program; and

 

     (2)  Making technical, nonsubstantive amendments for the purposes of clarity and consistency.

 

     As affirmed by the record of votes of the members of your Committee on Ways and Means that is attached to this report, your Committee is in accord with the intent and purpose of H.B. No. 678, H.D. 3, S.D. 1, as amended herein, and recommends that it pass Third Reading in the form attached hereto as H.B. No. 678, H.D. 3, S.D. 2.

 

Respectfully submitted on behalf of the members of the Committee on Ways and Means,

 

 

 

____________________________

DAVID Y. IGE, Chair