|
THE SENATE |
S.B. NO. |
1038 |
|
THIRTY-THIRD LEGISLATURE, 2025 |
S.D. 1 |
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
RELATING TO PRIVACY.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in chapter 487N, Hawaii Revised Statutes, which requires the public to be notified of data breaches, should be updated and expanded. Many identifying data elements relating to individuals are collected, and, when exposed to the public in a data breach, can place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers.
Accordingly, the purpose of this Act is to update the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, to include personal identifiers and specified data elements that are found in more comprehensive laws.
SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows:
1. By adding two new definitions to be appropriately inserted and to read:
(1) A
name used by an individual, including the combination of the first name, any
initials in the name, whether at the beginning or middle of the name, or a
nickname combined with the last name;
(2) A
user name for an online account;
(3) A
mobile or home phone number; or
(4) An
email address specific to the individual.
"Specified data
element" means any of the following:
(1) An
individual's social security number, either in its entirety or the last four or
more digits;
(2) Driver's
license number, federal or state identification card number, or passport
number;
(3) A
federal individual taxpayer identification number;
(4) A military identification number;
(5) An
individual's financial account number, or credit or debit card number, unless
redacted;
(6) A
security code, access code, personal identification number, or password that
would allow access to an individual's account;
(7) Unique
biometric data generated from a measurement or analysis of human body characteristics
used for authentication purposes, including a fingerprint, voice print, retina
or iris image, or other unique physical or digital representation of biometric
data;
(8) A
private key that is unique to an individual and is used to authenticate or sign
an electronic record; and
(9) Health
insurance policy number, subscriber identification number, medical
identification number, or any other unique number used by a health insurer to
identify a person.
"Specified data element" does not include medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 and its enacting regulations or other applicable federal or state law."
2. By amending the definition of "personal information" to read:
""Personal
information" means [an] either:
(1) An individual's first initial
or first name [or first initial], and last name, in
combination with any one or more [of the following data] specified
elements, when [either] the [name or the data elements are] personal
information is not encrypted[:
(1) Social security number;
(2) Driver's license number or Hawaii
identification card number; or
(3) Account number, credit or debit card
number, access code, or password that would permit access to an individual's
financial account.], redacted, or otherwise protected by another method
that renders the information unreadable or unusable; or
(2) A user name or email address, in
combination with a password or security question and answer that would permit
access to an online account.
"Personal
information" does not include publicly available information that is
lawfully made available to the general public [from federal, state, or local
government records]."
SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows:
"(g) The following businesses shall be deemed to be in compliance with this section:
(1) A financial institution that is subject
to the federal Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice published in the Federal
Register on March 29, 2005, by the Board of Governors of the Federal Reserve
System, the Federal Deposit Insurance Corporation, the Office of the
Comptroller of the Currency, and the Office of Thrift Supervision, or subject
to title 12 [C.F.R. Part] Code of Federal Regulations part
748, and any revisions, additions, or substitutions relating to the interagency
guidance; [and]
(2) Any health plan or [healthcare] health
care provider that is subject to and in compliance with the standards for
privacy or individually identifiable health information and the security
standards for the protection of electronic health information of the Health
Insurance Portability and Accountability Act of 1996[.]; and
(3) Any licensee that is subject to the Insurance Data Security Law, chapter 431, article 3B."
SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 5. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 6. This Act shall take effect on July 1, 2050.
Report Title:
Privacy; Personal Information; Security Breach; Notice; Identifier; Specified Data Element
Description:
Adds definitions of "identifier" and "specified data element" and amends the definition of "personal information" for the purposes of notifying affected persons of data and security breaches under existing state law that governs the security breach of personal information. Includes licensees subject to the Insurance Data Security Law among the businesses deemed compliant with security breach notice requirements under existing state law. Effective 7/1/2050. (SD1)
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.