STAND. COM. REP. NO.  1380

 

Honolulu, Hawaii

                , 2025

 

RE:   S.B. No. 1038

      S.D. 1

      H.D. 1

 

 

 

 

Honorable Nadine K. Nakamura

Speaker, House of Representatives

Thirty-Third State Legislature

Regular Session of 2025

State of Hawaii

 

Madame:

 

     Your Committee on Economic Development & Technology, to which was referred S.B. No. 1038, S.D. 1, entitled:

 

"A BILL FOR AN ACT RELATING TO PRIVACY,"

 

begs leave to report as follows:

 

     The purpose of this measure is to amend the security breach of personal information laws by:

 

     (1)  Adding definitions for "identifier" and "specified data element";

 

     (2)  Amending the definition of "personal information"; and

 

     (3)  Including licensees subject to the Insurance Data Security Law among the businesses deemed compliant with security breach notice requirements.

 

     Your Committee received testimony in support of this measure from one individual.  Your Committee received testimony in opposition to this measure from TechNet; Mortgage Bankers Association of Hawaii; Hawaii Financial Services Association; and Consumer Data Industry Association.  Your Committee received comments on this measure from the Insurance Division and Office of Consumer Protection of the Department of Commerce and Consumer Affairs; Department of Human Services; and Hawaii Bankers Association.

 

     Your Committee finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, Regular Session of 2019, convened the Twenty-First Century Privacy Law Task Force to examine and make recommendations regarding existing privacy laws and rules.  This measure adopts some of the recommendations of the Task Force and ensures that persons impacted by data breaches are notified when certain personal information is compromised.

 

     Your Committee has amended this measure by:

 

     (1)  Removing the definition of "identifier" and including its contents in the definition of "personal information";

 

     (2)  Removing the exclusion of medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 from the definition of "specified data element";

 

     (3)  Removing the inclusion of licenses subject to the Insurance Data Security Law from the businesses deemed compliant with security breach notice requirements;

 

     (4)  Clarifying that this measure is intended to take effect on April 1, 2026;

 

     (5)  Changing the effective date to July 1, 3000, to encourage further discussion; and

 

     (6)  Making technical, nonsubstantive amendments for the purposes of clarity, consistency, and style.

 

     Your Committee respectfully requests your Committee on Commerce and Consumer Protection, should it deliberate on this measure, to consider:

 

     (1)  Adding the following to the definition of "personal information":

 

          (A)  Local location data;

 

          (B)  Online identifiers such as Internet Protocol (IP) addresses and cookies; and

 

          (C)  Factors relating to an individual's physical, genetic, mental, economic, or social identity; and

 

     (2)  Amending the definition of "specified data element" to include the last five or more digits of an individual's social security number.

 

     As affirmed by the record of votes of the members of your Committee on Economic Development & Technology that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 1038, S.D. 1, as amended herein, and recommends that it pass Second Reading in the form attached hereto as S.B. No. 1038, S.D. 1, H.D. 1, and be referred to your Committee on Consumer Protection & Commerce.

 

 

Respectfully submitted on behalf of the members of the Committee on Economic Development & Technology,

 

 

		____________________________ GREGGOR ILAGAN, Chair