|
THE SENATE |
S.B. NO. |
2292 |
|
THIRTY-FIRST LEGISLATURE, 2022 |
|
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
RELATING TO PRIVACY.
BE IT
ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that House Concurrent Resolution No. 225, Senate Draft 1, Regular Session of 2019, established the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The concurrent resolution found that public use of the internet and related technologies has significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of Hawaii.
The legislature finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in chapter 487N, Hawaii Revised Statutes, which requires the public to be notified of data breaches, should be updated and expanded. Individuals face too many identifying data elements that, when exposed to the public in a data breach, place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N is not comprehensive enough to cover the additional identifiers.
Accordingly, the purpose of this Act is to update the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, to include various personal identifiers and data elements that are found in more comprehensive laws.
SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows:
1. By adding two new definitions to be appropriately inserted and to read:
""Identifier" means a common piece of information related specifically to an individual, that is commonly used to identify that individual across technology platforms, including a first name or initial, and last name; a user name for an online account; a phone number; or an email address.
"Specified data
element" means any of the following:
(1) An individual's
social security number, either in its entirety or the last four or more digits;
(2) Driver's
license number, federal or state identification card number, or passport
number;
(3) A federal
individual taxpayer identification number;
(4) An individual's
financial account number or credit or debit card number;
(5) A security
code, access code, personal identification number, or password that would allow
access to an individual's account;
(6) Health
insurance policy number, subscriber identification number, or any other unique
number used by a health insurer to identify a person;
(7) Medical
history, medical treatment by a health care professional, diagnosis of mental or
physical condition by a health care professional, or deoxyribonucleic acid
profile;
(8) Unique biometric
data generated from a measurement
or analysis of human body characteristics used for authentication purposes,
such as a fingerprint, voice print, retina or iris image, or other unique
physical or digital representation of biometric data; and
(9) A private key
that is unique to an individual and that is used to authenticate or sign an
electronic record."
2. By amending the definition of "personal information" to read:
""Personal information"
means an [individual's first name or first initial and last name in
combination with any one or more of the following data elements, when either
the name or the data elements are not encrypted:
(1) Social security
number;
(2) Driver's
license number or Hawaii identification card number; or
(3) Account number,
credit or debit card number, access code, or password that would permit access
to an individual's financial account.]
identifier in combination with one or more specified
data elements. "Personal
information" [does] shall not include publicly available information
that is lawfully made available to the general public from federal, state, or
local government records."
SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows:
"(g) The following businesses shall be deemed to be in compliance with this section:
(1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and
(2) Any health plan or
healthcare provider and its business associates that [is] are
subject to and in compliance with the standards for privacy or individually
identifiable health information and the security standards for the protection
of electronic health information of the Health Insurance Portability and
Accountability Act of 1996."
SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 5. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 6. This Act shall take effect upon its approval.
|
INTRODUCED BY: |
_____________________________ |
|
|
|
Report Title:
Privacy; Attorney General; Personal Information; Notice
Description:
Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.