§487N-5  Information privacy and security council; established; duties; reports.  (a)  There is established an information privacy and security council within the department of accounting and general services for administrative purposes only.  Members of the council shall be appointed no later than September 1, 2008, by the governor without regard to section 26-34 and shall be composed of the following representatives:

     (1)  Executive agencies that maintain extensive personal information in the conduct of their duties, including the department of commerce and consumer affairs, the department of education, the department of health, the department of human resources development, the department of human services, and the University of Hawaii, to be selected by the governor;

     (2)  The legislature, to be selected by the president of the senate and the speaker of the house of representatives;

     (3)  The judiciary, to be selected by the chief justice of the Hawaii supreme court; and

     (4)  The four counties, to be selected by the mayor of each county; provided that the mayor of each county shall determine the extent to which the county may or may not participate.

     Each member of the council may designate a person from that member's agency to attend meetings and act on the member's behalf, including for voting purposes, when the member is unable to attend a meeting.  The chief information officer or the chief information officer's designee shall serve as chair of the council.

     (b)  By January 1, 2009, the council shall submit to the legislature a report of the council's assessment and recommendations on initiatives to mitigate the negative impacts of identity theft incidents on individuals.  The report shall emphasize assessing the merits of identity theft passport and identity theft registry initiatives that have been implemented in other states.

     (c)  No later than June 30, 2009, the council shall develop guidelines to be considered by government agencies in deciding whether, how, and when a government agency shall inform affected individuals of the loss, disclosure, or security breach of personal information that can contribute to identify theft.  The guidelines shall provide a standardized, risk-based notification process in the instance of a security breach.

     (d)  The council shall review the individual annual reports submitted by government agencies, pursuant to section 487N-7 and submit a summary report to the legislature no later than twenty days prior to the convening of the regular session of 2010 and each year thereafter.  The summary report shall include the council's findings, significant trends, and recommendations to protect personal information used by government agencies.

     The initial report to the legislature also shall include proposed legislation to amend section 487N-2 or any other law that the council deems necessary to conform to the guidelines established under subsection (c).

     (e)  The chief information officer may establish support positions for the office of enterprise technology services, including but not limited to information technology, human resources and personnel, records management, and administrative support. [L Sp 2008, c 10, pt of §4; am L 2012, c 71, §1; am L 2016, c 58, §7; am L 2016, c 58, §7; am L 2022, c 11, §2]




  Consolidation of functions, duties, etc. of the office of information management and technology and the information and communication services division under the office of enterprise technology services.  L 2016, c 58, §§8 to 11.