STAND. COM. REP. NO 244

 

Honolulu, Hawaii

                

 

RE:    S.B. No. 1186

       S.D. 1

 

 

 

Honorable Donna Mercado Kim

President of the Senate

Twenty-Eighth State Legislature

Regular Session of 2015

State of Hawaii

 

Madam:

 

     Your Committees on Government Operations and Commerce and Consumer Protection, to which was referred S.B. No. 1186 entitled:

 

"A BILL FOR AN ACT RELATING TO PERSONAL INFORMATION,"

 

beg leave to report as follows:

 

     The purpose and intent of this measure is to:

 

     (1)  Expand the definition of "personal information" as used in chapter 487N, Hawaii Revised Statutes; and

 

     (2)  Impose additional notice requirements upon businesses that own or license personal information of residents of Hawaii, businesses that conduct business in Hawaii that own or license personal information in any form, and any government agency that collects personal information for specific purposes regarding notification of any security breach to affected persons.

 

     Your Committees received testimony in support of this measure from the Judiciary.  Your Committees received testimony in opposition to this measure from the Hawaii Information Consortium.  Your Committees received comments on this measure from the Office of Information Management and Technology, Office of Information Practices, Consumer Data Industry Association, American Council of Life Insurers, and State Privacy and Security Coalition, Inc.

 

     Your Committees find that information security is a growing concern as personal information is increasingly available through various modes of technology.  Laws related to security breaches of personal information require some flexibility to provide for police investigation of the breach and to require adequate notice to affected persons.  They must also be tailored in a way that does not inhibit businesses and government entities from using efficient means of doing business, while protecting consumers in the event of a breach.

 

     Your Committees have amended this measure by:

 

     (1)  Clarifying the definition of "personal information" relative to health insurance information;

 

     (2)  Clarifying the definition of "personal information" relative to an online user name, electronic mail address, or social media user name or account;

 

     (3)  Deleting the requirement that notification be made no later than forty-five days following the determination of the breach;

 

     (4)  Deleting the prohibition against providing affected persons notice of a security breach through electronic mail in the event that the security breach involved personal information including the login credential of an electronic mail account; and

 

     (5)  Making technical, nonsubstantive amendments for the purposes of clarity and consistency.

 

     As affirmed by the records of votes of the members of your Committees on Government Operations and Commerce and Consumer Protection that are attached to this report, your Committees are in accord with the intent and purpose of S.B. No. 1186, as amended herein, and recommend that it pass Second Reading in the form attached hereto as S.B. No. 1186, S.D. 1, and be referred to the Committees on Judiciary and Labor and Ways and Means.

 

Respectfully submitted on behalf of the members of the Committees on Government Operations and Commerce and Consumer Protection,

 

____________________________ ROSALYN H. BAKER, Chair		____________________________ DONOVAN M. DELA CRUZ, Chair