Data Privacy Map - Hawaii

Highlights

Covered Entities: Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes.

Consumer Notification: Notification must be provided to the affected Hawaii resident following discovery or notification of the breach.

Regulatory Notification: If notice is provided to more than 1,000 Hawaii residents, notice must also be provided in writing, without unreasonable delay, to the Hawaii Office of Consumer Protection of the timing, distribution, and content of the notice.

Notification Timeline: Without unreasonable delay, consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

Data Format: Personal information in any form (whether computerized, paper, or otherwise).

Citations: HRS § 487N-1 et seq.

More Details

Definitions:

• Breach: An incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur and that creates a risk of harm to a person.
• Personal Information (PI):
  • An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
    • Social security number;
    • Driver's license number or Hawaii identification card number; or
    • Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.
• Medical Information: N/A
• Health Insurance Information: N/A 

Safe Harbors:

• Encryption: Statute does not apply to personal information that is encrypted or redacted unless the confidential process or key is also accessed or acquired.
• Good Faith: Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.
• Risk of Harm: Statute requires notification where illegal use of personal information has occurred, or is reasonably likely, and creates a risk of harm to a person.
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency informs the subject entity that notification may impede a criminal investigation or jeopardize national security and agency requests a delay in writing. Notice must be provided without unreasonable delay after the law enforcement agency communicates that notice will no longer impede the investigation or jeopardize national security.

Direct Notice:

• Timing: Without reasonable delay following discovery or notification of the breach, consistent with any measures necessary to determine sufficient contact information, the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the system.
• Format: N/A
• Content: The notice must be “clear and conspicuous” and include a description of the following:
  • (1) The incident in general terms;
  • (2) The type of personal information subject to the access and acquisition;
  • (3) The subject entity’s general acts to protect the personal information from further unauthorized access;
  • (4) A telephone number that the person may call for further information and assistance, if one exists; and
  • (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
• Method: Notice to affected persons may be provided by either (1) Written notice; (2) Electronic mail notice, if individual has agreed to receive communications electronically if the notice is consistent with 15 U.S.C. section 7001 (E-SIGN Act); (3) Telephone notice; or (4) Substitute notice (see below).

Substitute Notice:

Substitute notice may be given if the entity demonstrates that (i) the cost of providing notice would exceed $100,000, (ii) the affected class to be notified exceeds 200,000 persons; (iii) the entity does not have sufficient contact information for the individuals or consent to provide notice; or (iv) the entity is unable to identify certain affected persons (substitute notice permitted only for those whom the subject entity is unable to identify).

Remediation Services:

N/A 

Regulatory Notice:

If notice is provided to more than 1,000 Hawaii residents, notice must also be provided in writing, without unreasonable delay, to the Hawaii Office of Consumer Protection of the timing, distribution, and content of the notice.

Credit Reporting Agencies Notice:

If notice is provided to more than 1,000 residents, the entity must notify in writing, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

Third-Party Notice:

Any business located in Hawaii or any business that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach.

HIPAA:

Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.

Private Action:

Yes, injuries parties may bring civil actions for actual damages and attorneys’ fees.

Associated Regulations:

• Insurance Industry Data Security Law (HRS §§ 431:3B-301 to 431:3B-306).

Highlights

Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Hawaii or holding a certificate of authority under HRS § 432D, not including a purchasing group or a risk retention group chartered and licensed in a state other than Hawaii or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

Consumer Notification: The licensee shall comply with HRS § 487N, as applicable, and provide a copy to the commissioner.

Regulatory Notification: Each licensee shall notify the commissioner as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event impacting 250 or more consumers has occurred.

Notification Timeline: As promptly as possible, but in no later than 3 business days from a determination that a cybersecurity event impacting 250 or more consumers has occurred.

Citations: HRS §§ 431:3b-101 to 431:3b-306

More Details

Definitions:

• Consumer: An individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of Hawaii and whose nonpublic information is in a licensee's possession, custody, or control.
• Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
• Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Hawaii or holding a certificate of authority under HRS § 432D, not including a purchasing group or a risk retention group chartered and licensed in a state other than Hawaii or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
• Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
  
  • Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
    
    • Social Security number;
    • Driver’s license number or nondriver identification card number;
    • Financial account number or credit or debit card number;
    • Security code, access code, or password that would permit access to a consumer’s financial account; or
    • Biometric records.
  • Any information or data subject to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that identifies a particular consumer and that relates to:
    
    • The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
    • The provision of health care to any consumer; or
    • The payment for the provision of health care to any consumer.

Regulatory Notice:

Each licensee shall notify the commissioner as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event impacting 250 or more consumers has occurred. Notification shall be provided when either of the following criteria has been met:

• The licensee is domiciled in Hawaii, in the case of an insurer, or the licensee's home state is Hawaii, in the case of an independent insurance producer; or
• The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Hawaii and the cybersecurity has a reasonable likelihood of materially harming either a consumer residing in Hawaii or a material part of licensee’s operations.

Content Requirements:

When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:

• The date of the cybersecurity event.
• A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
• The identity of the source of the cybersecurity event.
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
• A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
• The period during which the information system was compromised by the cybersecurity event.
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
• A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
• A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
• The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice.

Penalties:

In the case of a violation, a licensee may be penalized in accordance with HRS § 431:2-203.

Associated Regulations:

N/A