STAND. COM. REP. NO. 2356

 

Honolulu, Hawaii

                  

 

RE:    S.B. No. 2292

       S.D. 1

 

 

 

Honorable Ronald D. Kouchi

President of the Senate

Thirty-First State Legislature

Regular Session of 2022

State of Hawaii

 

Sir:

 

     Your Committee on Commerce and Consumer Protection, to which was referred S.B. No. 2292 entitled:

 

"A BILL FOR AN ACT RELATING TO PRIVACY,"

 

begs leave to report as follows:

 

     The purpose and intent of this measure is to amend the definition of "personal information" to include various personal identifiers and data elements that are found in more comprehensive laws.

 

     Your Committee received testimony in support of this measure from the Department of Commerce and Consumer Affairs, Office of Enterprise Technology Services, and one individual.  Your Committee received comments on this measure from the Hawaii Insurers Council; Hawaiian Electric Company, Inc.; Hawaii Financial Services Association; Hawaii Credit Union League; Hawaii Bankers Association; Hawaii Association of Health Plans; Hawaii Pacific Health; State Privacy & Security Coalition; and one individual.

 

     Your Committee finds that Hawaii was one of the first states to enact certain privacy laws nearly twenty years ago that specify the circumstances in which a business or government agency shall notify a consumer that his or her personal information has been breached.  However, due to rapidly advancing technology and the vast amounts of data collected by businesses and government agencies, it is necessary to update and modernize existing law by amending the definition of what constitutes "personal information".  This will enhance consumer protections involving privacy and align Hawaii with other jurisdictions that have recently adopted similar legislation.

 

     Your Committee has heard the concerns raised in testimony that this measure, as currently written, fails to take into account Act 112, Session Laws of Hawaii (2021), which adopted the Insurance Data Security Model Law to strengthen data privacy and consumer breach notification obligations of insurance licensees.  Amendments are therefore necessary to address these concerns, as well as additional concerns raised in the testimony.

 

     Your Committee has amended this measure by:

 

     (1)  Clarifying that an individual's social security number, either in its entirety or more than the last four digits, shall be considered a "specified data element";

 

     (2)  Clarifying that "specified data element" does not include medical information that is protected by the Health Insurance Portability and Accountability Act and its enacting regulations or other applicable federal or state law;

 

     (3)  Providing that any insurance licensee subject to the Insurance Data Security Law codified in Article 3B, Chapter 431, Hawaii Revised Statutes shall be deemed to be in compliance with section 487N-2, Hawaii Revised Statutes; and

 

     (4)  Making technical, nonsubstantive amendments for the purposes of clarity and consistency.

 

     As affirmed by the record of votes of the members of your Committee on Commerce and Consumer Protection that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 2292, as amended herein, and recommends that it pass Second Reading in the form attached hereto as S.B. No. 2292, S.D. 1, and be referred to your Committee on Judiciary.

 

Respectfully submitted on behalf of the members of the Committee on Commerce and Consumer Protection,

 

 

 

________________________________

ROSALYN H. BAKER, Chair