THE SENATE

S.B. NO.

1002

THIRTY-FIRST LEGISLATURE, 2021

 

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT

 

 

RELATING TO INFORMATION PRIVACY.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


SECTION 1. The legislature finds that despite the growing number of devices that are connected to the internet, there is no mandate to protect the users of these devices through specific security measures.

Accordingly, the purpose of this Act is to require a manufacturer of an internet connected device to equip the device with reasonable security features that are:

(1) Appropriate to the nature and function of the device regarding the information it may collect, contain, or transmit; and

(2) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

security OF CONNECTED DEVICES

   ‑1 Short title. This chapter may be cited as the Security of Connected Devices Act.

   ‑2 Definitions. As used in this chapter, unless the context clearly requires otherwise:

"Authentication" means a method of verifying the authority of a user, process, or device to access resources in an information system.

"Connected device" means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or bluetooth address.

"Manufacturer" means the person who manufactures, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in the State. For purposes of this chapter, a contract with another person to manufacture on the person's behalf does not include a contract only to purchase a connected device, or only purchase and brand a connected device.

"Security feature" means a feature of a device designed to provide a security for that device.

"Unauthorized access, destruction, use, modification, or disclosure" means access, destruction, use, modification, or disclosure that is not authorized by the consumer.

   ‑3 Security features of connected devices. (a) A manufacturer of a connected device shall equip the device with reasonable security features to include all of the following:

(1) Appropriate to the nature and function of the device;

(2) Appropriate to the information it may collect, contain, or transmit; and

(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

(b) Subject to all the requirements of subsection       (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subsection       (a), if either of the following requirements is met:

(1) The preprogrammed password is unique to each manufactured device; or

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

   ‑4 Limitations on duties. (a) This chapter shall not be construed to impose any duty:

(1) Upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device;

(2) Upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this chapter; or

(3) Upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion.

(b) This chapter shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.

(c) This chapter shall not be construed to provide a basis for a private right of action. The attorney general shall have the exclusive authority to enforce this chapter.

(d) The duties and obligations imposed by this chapter are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.

(e) This chapter shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.

(f) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, shall not be subject to this chapter with respect to any activity regulated by it."

SECTION 3. This Act shall take effect upon its approval.

 

INTRODUCED BY:

_____________________________


 


 

Report Title:

Cyber Security; Internet Connected Devices; Security Features; Information Privacy

 

Description:

Requires manufacturers of connected devices to equip the devices with reasonable security features regarding information collected, unauthorized access, or the destruction or use of the devices.

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.