H.B. NO.



H.D. 1











relating to information privacy.





SECTION 1. Identity theft affects millions of Americans and costs more than $54 billion each year. The legislature finds that unauthorized disclosures of personal information are a leading source of identity theft. To mitigate the effects of these security breaches, the legislature passed Act 135, Session Laws of Hawaii 2006, which requires consumers and businesses to be notified when a security breach occurs. However, Act 135 required only limited information in the notice of a security breach and did not provide for any consumer or small business remedies.

The purpose of this Act is to require that victims of a security breach receive more specific information about the breach and how to respond to it. This Act also establishes a private cause of action for consumers and businesses that are victims of security breaches to pursue damages and increases damages for security breaches caused by gross negligence.

SECTION 2. Chapter 487N, Hawaii Revised Statutes, is amended as follows:

1. By adding a new section to be appropriately designated and to read:

"487N- Security program. (a) A business or government agency that maintains personal information of any residents of the State shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of personal information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the business or government agency and the nature and scope of its activities.

(b) The information security program of a business or government agency shall be designed to:

(1) Ensure the security and confidentiality of personal information;

(2) Protect against any anticipated threats or hazards to the security or integrity of the information; and

(3) Protect against unauthorized access to or use of the information that could result in substantial harm to any resident of the State.

(c) The business or government agency shall train its staff, as appropriate, to implement the business or government agency's security program."

2. By adding a new definition to section 487N-1 to be appropriately inserted and to read:

""Identity theft" means the unauthorized use of another person's identifying information to obtain credit, goods, services, money, or property, or to commit an unlawful act."

3. By amending the definition of "security breach" in section 487N-1 to read:

""Security breach" means an incident of unauthorized [access to and acquisition] disclosure of unencrypted or unredacted records or data containing personal information [where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person]. Any incident of unauthorized [access to and acquisition] disclosure of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach. Good faith [acquisition] disclosure of personal information by an employee or agent of the business or government agency for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure."

4. By amending subsection (d) of section 487N-2 to read:

"(d) The notice shall be clear and conspicuous. The notice shall include a description of the following:

(1) The incident [in general terms;], including the duration of time the information was exposed;

(2) The type of personal information that was subject to the unauthorized access and acquisition;

(3) The types of fraudulent activities that could result pursuant to a breach of that nature, and any remedial actions that the individual can take;

(4) A statement of the individual's legal rights pursuant to the breach, and the legal responsibilities of the business or government, if any;

[(3)] (5) The general acts of the business or government agency to protect the personal information from further unauthorized access;

[(4)] (6) A telephone number that the person may call for further information and assistance, if one exists; [and]

[(5)] (7) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports[.]; and

(8) The toll-free contact telephone numbers and addresses for the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 United States Code Section 1681a, and information on how to place a fraud alert or security freeze."

5. By amending subsection (b) of section 487N-3 to read:

"(b) In addition to any penalty provided for in subsection (a), [any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party.] any person who is harmed by a security breach may sue for damages sustained by the person; provided that if a judgment is obtained by the plaintiff:

(1) The court shall award the plaintiff a sum of not less than $       or threefold damages sustained by the plaintiff, whichever is greater, and reasonable attorney's fees and costs. For purposes of this subsection, damages sustained by a person shall include actions taken to mitigate injury from future identity theft, including actual or future purchase of credit monitoring and identity theft insurance; or

(2) The court shall award the plaintiff actual damages if the business or entity implements a security program and is in compliance with section 487N-  . The court may award reasonable attorney's fees and costs.

No such action may be brought against a government agency."

SECTION 3. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.

SECTION 4. This Act shall take effect on January 1, 2050.



Report Title:

Identity Theft; Security Program



Requires a business or government entity to implement a security program. Provides increased damages for a victim who, as a result of an information security breach provided by an entity without a security program, suffers harm from identity theft. Amends the type of notice that must be given to a person affected by a security breach. Defines identity theft. Effective January 1, 2050. (HB1220 HD1)




The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.