THIRTY-FIRST LEGISLATURE, 2022
STATE OF HAWAII
A BILL FOR AN ACT
RELATING TO PRIVACY.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, Regular Session of 2019, convened the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The concurrent resolution found that public use of the Internet and related technologies have significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of Hawaii.
The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in chapter 487N, Hawaii Revised Statutes, which requires the public to be notified of data breaches, should be updated and expanded. Individuals face too many identifying data elements that, when exposed to the public in a data breach, place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers.
Accordingly, the purpose of this Act is to update the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, to include various personal identifiers and data elements that are found in more comprehensive laws.
SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows:
1. By adding two new definitions to be appropriately inserted and to read:
""Identifier" means a common piece of information related specifically to an individual that is commonly used to identify the individual across technology platforms, including:
(1) A first name or initial, and last name;
(2) A user name for an online account;
(3) A mobile phone number; or
(4) An email address specific to the individual.
"Specified data element" means any of the following:
(1) An individual's social security number, either in its entirety or the last four or more digits;
(2) Driver's license number, federal or state identification card number, or passport number;
(3) A federal individual taxpayer identification number;
(4) An individual's financial account number, or credit or debit card number;
(5) A security code, access code, personal identification number, or password that would allow access to an individual's account;
(6) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data;
(7) A private key that is unique to an individual and that is used to authenticate or sign an electronic record; and
(8) Health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person.
"Specified data element" does not include medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 and its enacting regulations or other applicable federal or state law."
2. By amending the definition of "personal information" to read:
means an [
individual's first name or first initial and last name in
combination with any one or more of the following data elements, when either
the name or the data elements are not encrypted: (1) Social security
number; (2) Driver's
license number or Hawaii identification card number; or (3) Account number,
credit or debit card number, access code, or password that would permit access
to an individual's financial account.]
identifier in combination with one or more specified
data elements. "Personal
does] shall not include publicly available information
that is lawfully made available to the general public from federal, state, or
local government records."
SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows:
"(g) The following businesses shall be deemed to be in compliance with this section:
(1) A financial
institution that is subject to the federal Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer Notice
published in the Federal Register on March 29, 2005, by the Board of Governors
of the Federal Reserve System, the Federal Deposit Insurance Corporation, the
Office of the Comptroller of the Currency, and the Office of Thrift
Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or
substitutions relating to the interagency guidance; [
(2) Any health plan or
healthcare] health care provider and its business associates
that [ is] are subject to and in compliance with the standards for
privacy or individually identifiable health information and the security standards
for the protection of electronic health information of the Health Insurance
Portability and Accountability Act of 1996[ .]; and
(3) Any licensee that is subject to the Insurance Data Security Law pursuant to article 3B, chapter 431."
SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 5. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 6. This Act shall take effect upon its approval.
Privacy; Attorney General; Personal Information; Notice
Modernizes the definition of "personal information" for the purposes of notifying affected persons of data and security breaches. (HD1)
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.