THE SENATE |
S.B. NO. |
1186 |
TWENTY-EIGHTH LEGISLATURE, 2015 |
|
|
STATE OF HAWAII |
|
|
|
|
|
|
||
|
A BILL FOR AN ACT
RELATING TO PERSONAL INFORMATION.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. Section 487N-1, Hawaii Revised Statutes, is amended by amending the definition of "personal information" to read as follows:
""Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number;
(2) Driver's license number or Hawaii identification
card number; [or]
(3) Account number, credit or debit card number,
access code, or password that would permit access to an individual's financial
account[.];
(4) Medical information, including but not limited to any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a qualified health care professional;
(5) Health insurance information, including but not limited to an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual, or any information in an individual's application and claims history, including any records of appeal; or
(6) An online user name, email address, or social media user name or other identifier of a social media account that when used in combination with a password or security question and answer would permit access to an online account.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records."
SECTION 2. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsections (a) to (e) to read:
"(a) Any business that owns or licenses
personal information of residents of Hawaii, any business that conducts
business in Hawaii that owns or licenses personal information in any form
(whether computerized, paper, or otherwise), or any government agency that
collects personal information for specific government purposes shall provide
notice to the affected person that there has been a security breach following
discovery or notification of the breach. The disclosure notification shall be
made without unreasonable delay, consistent with the legitimate needs of law
enforcement as provided in subsection (c) [of this section], and
consistent with any measures necessary to determine sufficient contact
information, determine the scope of the breach, and restore the reasonable
integrity, security, and confidentiality of the data system. Notification
shall be made no later than forty-five days following the determination of the
breach, unless provided otherwise in this section.
(b) Any business located in Hawaii or any
business that conducts business in Hawaii that maintains or possesses records
or data containing personal information of residents of Hawaii that the
business does not own or license, or any government agency that maintains or
possesses records or data containing personal information of residents of
Hawaii shall notify the owner or licensee of the information of any security
breach [immediately] no later than ten days following discovery
of the breach, consistent with the legitimate needs of law enforcement as
provided in subsection (c).
(c) The notice required by this section shall
be delayed if a law enforcement agency informs the business or government
agency that notification may impede a criminal investigation or jeopardize
national security and requests a delay; provided that such request is made in
writing, or the business or government agency documents the request
contemporaneously in writing, including the name of the law enforcement officer
making the request and the officer's law enforcement agency engaged in the
investigation. The notice required by this section shall be provided [without
unreasonable delay] pursuant to subsection (a) or (b) after the law
enforcement agency communicates to the business or government agency its
determination that notice will no longer impede the investigation or jeopardize
national security.
(d) The notice shall be clear and conspicuous. The notice shall include a description of the following:
(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and acquisition;
(3) The general acts of the business or government agency to protect the personal information from further unauthorized access;
(4) A telephone number that the person may call for
further information and assistance, if one exists; [and]
(5) Advice that directs the person to remain vigilant
by reviewing account statements and monitoring free credit reports[.];
(6) If the information is possible to determine at the time the notice is provided, then any of the following:
(A) The date of the breach;
(B) The estimated or approximate date of the breach; or
(C) The range of possible dates within which the breach occurred.
(7) Whether law enforcement caused a delay in notification, if the information is possible to determine at the time the notice is provided; and
(8) If the breach exposed a civil identification card number or social security number, the contact information for major credit reporting agencies.
(e) For purposes of this section, notice to affected persons may be provided by one of the following methods:
(1) Written notice to the last available address the business or government agency has on record;
(2) Electronic mail notice, for those persons for whom a business or government agency has a valid electronic mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. section 7001; provided that in the case of a security breach involving personal information including or involving the login credential of an email account, the business or government agency shall not provide notification of the breach to that email address and shall instead provide notice by another method set forth in this subsection;
(3) Telephonic notice, provided that contact is made directly with the affected persons; and
(4) Substitute notice, if the business or government agency demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business or government agency does not have sufficient contact information or consent to satisfy paragraph (1), (2), or (3), for only those affected persons without sufficient contact information or consent, or if the business or government agency is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
(A) Electronic mail notice when the business or government agency has an electronic mail address for the subject persons;
(B) Conspicuous posting of the notice on the website page of the business or government agency, if one is maintained; and
(C) Notification to major statewide media."
SECTION 3. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 4. This Act shall take effect on July 1, 2015.
INTRODUCED BY: |
_____________________________ |
|
|
Report Title:
Personal Information; Security Breach; Notification
Description:
Expands definition of "personal information" and establishes or amends the timeline by which a business or government agency must notify persons affected by a security breach of personal information. Specifies additional information required in notification following certain security breaches. Prohibits the use of email as a means of notification of a security breach if login credentials for email were compromised.
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.