A BILL FOR AN ACT

RELATING TO INFORMATION.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  The legislature finds that a recent University of Hawaii security breach may have exposed personal information, including approximately 40,870 social security numbers and two hundred credit card numbers.  The system was immediately isolated, and an investigation was launched to determine the scope of the breach and identify individuals who may have been affected.  Letters were mailed to affected individuals on July 3, 2010, and an email notice was sent to affected individuals at their most recent email address on record.  To protect personal information from further unauthorized access, social security numbers are no longer used for parking transactions, and are being purged from all current and historic parking office databases.  Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

     The legislature further finds that while the University of Hawaii acted swiftly and appropriately after discovery of the security breach, additional safeguards are necessary to ensure that the University of Hawaii and other government agencies have the resources to avoid a reoccurrence of these security breaches of personal information.

     The purpose of this Act is to strengthen the safeguards for security breaches of personal information.

     SECTION 2.  Chapter 487N, Hawaii Revised Statutes, is amended by adding two new sections to be appropriately designated and to read as follows:

     "§487N‑     Personal information; government agencies; requirements.  Any government agency that maintains one or more personal information systems shall include, as part of the agency's guidelines developed pursuant to section 487N‑5(c), mandatory training programs for any agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted.  A government agency may request assistance from the information and communication services division of the department of accounting and general services for training purposes, pursuant to section 487N-5(e).

     §487N-     Personal information; business; security program.  (a)  A business that maintains personal information about residents of Hawaii shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of personal information of residents of Hawaii.  The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the business and the nature and scope of its activities.

     (b)  The information security program of a business shall be designed to:

     (1)  Ensure the security and confidentiality of personal information of residents of Hawaii;

     (2)  Protect against any anticipated threats or hazards to the security or integrity of the information; and

     (3)  Protect against unauthorized access to or use of the information that could result in substantial harm to any resident of Hawaii.

     (c)  The business shall train its staff, as appropriate, to implement the security program of the business.

     (d)  This section shall not apply to a financial institution that is subject to the federal Interagency Guidelines Establishing Information Security Standards or 12 C.F.R. Part 748, Appendix A, both as amended from time to time."

     SECTION 3.  Section 487N-1, Hawaii Revised Statutes, is amended as follows:

     1.  By adding a new definition to be appropriately inserted and to read:

     ""Credit reporting agency" means a nationwide consumer credit reporting agency, such as Equifax, Experian, or TransUnion, or any successor entity thereof, that provides consumer credit monitoring and reporting services."

     2.  By amending the definition of "security breach" to read:

     ""Security breach" [means an]:

     (1)  Means:

         (A)  Any incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person[.];

         (B)  Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key [constitutes a security breach.  Good]; and

         (C)  Any incident of inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information; and

     (2)  Does not include good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose [is not a security breach]; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure."

     SECTION 4.  Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (d) to read as follows:

     "(d)  The notice shall be clear and conspicuous.  The notice shall include a description of the following:

     (1)  The incident in general terms;

     (2)  The type of personal information that was subject to the unauthorized access and acquisition;

     (3)  The general acts of the business or government agency to protect the personal information from further unauthorized access;

     (4)  A telephone number that the person may call for further information and assistance, if one exists; [and]

     (5)  Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports[.]; and

     (6)  The toll-free contact telephone numbers and addresses for the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a, and information on how to place a fraud alert or security freeze."

     SECTION 5.  Section 487N-4, Hawaii Revised Statutes, is amended to read as follows:

     "[[]§487N-4[]]  Reporting requirements.  A government agency shall submit a written report to the legislature and the information privacy and security council within twenty days after discovery of a security breach at the government agency that details information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent, whether the notice was delayed due to law enforcement considerations, and any procedures that have been implemented to prevent the breach from reoccurring.  [In the event that] If a law enforcement agency informs the government agency that notification may impede a criminal investigation or jeopardize national security, the report to the legislature and the information privacy and security council may be delayed until twenty days after the law enforcement agency has determined that notice will no longer impede the investigation or jeopardize national security."

     SECTION 6.  Section 487N-5, Hawaii Revised Statutes, is amended as follows:

     1.  By amending subsection (a) to read:

     "(a)  There is established an information privacy and security council within the department of accounting and general services for administrative purposes only.  The council shall be responsible for coordinating the implementation of guidelines by government agencies, as established under subsection (c).  Members of the council shall be appointed no later than September 1, 2008, by the governor without regard to section 26‑34 and shall be composed of the following representatives:

     (1)  Executive agencies that maintain extensive personal information in the conduct of their duties, including the department of education, the department of health, the department of human resources development, the department of human services, and the University of Hawaii, to be selected by the governor;

     (2)  The legislature, to be selected by the president of the senate and the speaker of the house of representatives;

     (3)  The judiciary, to be selected by the administrator of the courts; and

     (4)  The four counties, to be selected by the mayor of each county; provided that the mayor of each county shall determine the extent to which the county may or may not participate.

     The comptroller or the state chief information officer, once appointed, shall serve as chair of the council."

     2.  By amending subsection (e) to read:

     "(e)  The comptroller may establish support positions for the information and communication services division, including but not limited to[,] legal support, information technology, human resources and personnel, records management, training, and administrative support."

     SECTION 7.  Section 489P-2, Hawaii Revised Statutes, is amended by adding a new definition to be appropriately inserted and to read as follows:

     ""Security breach" has the same meaning as in section 487N‑1."

     SECTION 8.  Section 489P-3, Hawaii Revised Statutes, is amended by amending subsection (a) to read as follows:

     "(a)  Any consumer who is a resident of this State may place a security freeze on the consumer's credit report.  A consumer credit reporting agency shall not charge a victim of identity theft or a security breach a fee for placing, lifting, or removing a security freeze on a credit report but may charge any other consumer a fee not to exceed $5 for each request by the consumer to place, lift, or remove a security freeze from the consumer's credit report.

     A consumer who is a resident of this State and has been the victim of identity theft or a security breach may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency, at an address designated by the agency to receive such requests, with a valid copy of a police report, investigative report, or complaint the consumer has filed with a law enforcement agency about unlawful use of the consumer's personal information by another person.  A consumer who has not been the victim of identity theft or a security breach may place a security freeze on the consumer's credit report by making a request in writing by certified mail to a consumer credit reporting agency.

     A security freeze shall prohibit the consumer credit reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer.  This subsection shall not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report."

     SECTION 9.  There is appropriated out of the general revenues of the State of Hawaii the sum of $           or so much thereof as may be necessary for fiscal year 2011-2012 and the same sum or so much thereof as may be necessary for fiscal year 2012-2013 for       positions and funding in support of the information privacy and security council and enhanced data security requirements.

     The sums appropriated shall be expended by the department of accounting and general services for the purposes of this Act.

     SECTION 10.  There is appropriated out of the general revenues of the State of Hawaii the sum of $           or so much thereof as may be necessary for fiscal year 2011-2012 and the same sum or so much thereof as may be necessary for fiscal year 2012-2013 for specialist and coordinator positions in statewide network security, application scanning, security incident, and training.

     The sums appropriated shall be expended by the department of accounting and general services for the purposes of this Act.

     SECTION 11.  There is appropriated out of the general revenues of the State of Hawaii the sum of $           or so much thereof as may be necessary for fiscal year 2011-2012 and the same sum or so much thereof as may be necessary for fiscal year 2012-2013 for security tools, maintenance, and licenses, including software and enhanced web applications.

     The sums appropriated shall be expended by the department of accounting and general services for the purposes of this Act.

     SECTION 12.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.

     SECTION 13.  Statutory material to be repealed is bracketed and stricken.  New statutory material is underscored.

SECTION 14.  This Act shall take effect on July 1, 2050.

Report Title:

Personal Information; Security Breach; Appropriation

Description:

Requires a government agency that maintains personal information systems to include mandatory training programs for agency personnel; requires a business that maintains personal information to implement an information security program; adds a definition of "credit reporting agency"; amends the definition of "security breach" to include inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information; requires a notice of security breach to include toll-free contact telephone numbers and addresses for the major credit reporting agencies; requires a government agency to submit a written report to the information privacy and security council within twenty days after discovery of a security breach; requires the information privacy and security council to be responsible for coordinating the implementation of security breach guidelines by government agencies; includes a victim of a security breach to those residents entitled to free security freeze services; appropriates unspecified funds for the information privacy and security council for positions and security tools.  Effective 7/1/2050.  (SD2)

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.