A BILL FOR AN ACT

RELATING TO CYBERSECURITY.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  Chapter 128A, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:

     "§128A-     Cybersecurity incidents; cyber ransom or ransomware attacks; payment of ransom.  (a)  No government agency, business entity, or health care entity in the State shall pay, or have another entity pay on its behalf, ransom related to a cyber incident or a cyber ransom or ransomware attack.

     (b)  Government agencies, business entities, and health care entities shall report all cyber incidents and cyber ransom or ransomware attacks to the office of homeland security within      hours after the agency or entity has discovered or has been notified of a cyber incident or cyber ransom or ransomware attack.

     (c)  Any business entity or healthcare entity that violates this section shall be subject to a civil penalty of no less than $           and more than $           for each violation and the costs of any investigation.  The attorney general may bring an action pursuant to this section.  No such action may be brought against a government agency.

     (d)  The penalties provided in this section shall be in addition to the remedies or penalties available under all other laws of this State.

     (e)  As used in this section:

     "Business entity" means any legal entity that conducts business in the State.  The term includes a sole proprietorship, partnership, corporation, association, or other group, however organized, and whether or not organized to operate at a profit; and a financial institution organized, chartered, or holding a license or authorization certificate under the laws of the State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution.

     "Cyber incident" means the compromise of the security, confidentiality, or integrity of computerized data due to the exfiltration, modification, or deletion that results in the unauthorized acquisition of and access to information maintained by an entity.

     "Cyber ransom" or "ransomware" means a type of malware that encrypts or locks valuable digital files and demands a ransom to release the files.

     "Government agency" means any department, division, board, commission, public corporation, or other agency or instrumentality of the State or of any county.

     "Health care entity" means hospitals, nursing homes, home care agencies, hospice, and any other health care facilities licensed or certified by the department of health."

     SECTION 2.  Section 128A-4, Hawaii Revised Statutes, is amended to read as follows:

     "[[]§128A-4[]]  Homeland security responsibilities.  (a)  The director may:

     (1)  Prepare comprehensive plans and programs for homeland security and homeland defense; provided that these plans and programs shall be integrated and coordinated with the plans of the counties and the federal government to the fullest possible extent;

     (2)  Make studies and surveys of the vulnerabilities of critical infrastructure and key resources in this State as may be necessary, and participate in planning for their protection;

     (3)  Develop and maintain a list of critical infrastructure, coordinating the list with the counties of the State, other state agencies, federal agencies (including the Departments of Defense and Homeland Security), the private sector, and other agencies and organizations as necessary;

     (4)  Develop and maintain a capability to process security-clearance applications for civilian workers of the state and county governments;

     (5)  Foster coordination on security matters with all nations of the Pacific region to the extent permitted under federal law, including but not limited to coordinating planning efforts, as appropriate; sponsoring discussions and seminars; and hosting periodic international conferences; and

     (6)  Solicit and manage funding, including but not limited to grants from the federal government, funds from other divisions in the department of defense and other state agencies, and funds to provide personnel support to the office of homeland security.

     (b)  The director shall develop and maintain a list of all cybersecurity incidents and cyber ransom or ransomware attacks reported to it pursuant to section 128A-    and make the list available to the public."

     SECTION 3.  There is appropriated out of the general revenues of the State of Hawaii the sum of $           or so much thereof as may be necessary for fiscal year 2022-2023 to carry out the purposes of this Act.

     The sum appropriated shall be expended by the office of homeland security for the purposes of this Act.

     SECTION 4.  Statutory material to be repealed is bracketed and stricken.  New statutory material is underscored.

     SECTION 5.  This Act shall take effect upon its approval.

Report Title:

Cybersecurity; Cyber Ransom; Ransomware; Payment Prohibition; Reporting; Appropriation

Description:

Prohibits government agencies, business entities, and health care entities in the State from paying or having another entity pay on its behalf ransom for cyber incidents or cyber ransom or ransomware attacks.  Requires all agencies and entities to report incidents and attacks to the office of homeland security.  Establishes penalties for violations.  Requires the director of homeland security to develop and maintain a list of all incidents and attacks and make the list available to the public.  Appropriates funds.

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.