A BILL FOR AN ACT

relating to information privacy.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  Section 487N-5, Hawaii Revised Statutes, is amended to read as follows:

     "§487N-5  Information privacy and security council; established; duties; reports.  (a)  There is established an information privacy and security council within the department of accounting and general services for administrative purposes only.  Members of the council shall be appointed no later than September 1, 2008, by the governor without regard to section 26-34 and shall be composed of the following representatives:

     (1)  Executive agencies that maintain extensive personal information in the conduct of their duties, including the department of education, the department of health, the department of human resources development, the department of human services, and the University of Hawaii, to be selected by the governor;

     (2)  The legislature, to be selected by the president of the senate and the speaker of the house of representatives;

     (3)  The judiciary, to be selected by the administrator of the courts; and

     (4)  The four counties, to be selected by the mayor of each county; provided that the mayor of each county shall determine the extent to which the county may or may not participate.

     The chief information officer or the chief information officer's designee shall serve as chair of the council.

     (b)  By January 1, 2009, the council shall submit to the legislature a report of the council's assessment and recommendations on initiatives to mitigate the negative impacts of identity theft incidents on individuals.  The report shall emphasize assessing the merits of identity theft passport and identity theft registry initiatives that have been implemented in other states.

     (c)  No later than June 30, 2009, the council shall develop guidelines to be considered by government agencies in deciding whether, how, and when a government agency shall inform affected individuals of the loss, disclosure, or security breach of personal information that can contribute to identify theft.  The guidelines shall provide a standardized, risk-based notification process in the instance of a security breach.

     (d)  The council shall review the individual annual reports submitted by government agencies, pursuant to section 487N-7 and submit a summary report to the legislature no later than twenty days prior to the convening of the regular session of 2010 and each year thereafter.  The summary report shall include the council's findings, significant trends, and recommendations to protect personal information used by government agencies.

     The initial report to the legislature also shall include proposed legislation to amend section 487N-2 or any other law that the council deems necessary to conform to the guidelines established under subsection (c).

     (e)  The council, in collaboration with the department of commerce and consumer affairs, shall develop a policy of best practices related to the use, storage, and security of personal information entrusted to businesses and government agencies.  These best practices shall include procedures that businesses and government agencies may utilize in an effort to protect personal information from unauthorized use or dissemination.  The council shall submit a report including the best practices and any proposed legislation to the legislature no later than twenty days prior to the convening of the regular session of 2016.

     [(e)] (f)  The comptroller may establish support positions for the information and communication services division, including but not limited to, legal support, information technology, human resources and personnel, records management, and administrative support."

     SECTION 2.  Statutory material to be repealed is bracketed and stricken.  New statutory material is underscored.

     SECTION 3.  This Act shall take effect upon its approval.

Report Title:

Personal Information; Security; Department of Commerce and Consumer Affairs; Information Privacy and Security Council

Description:

Requires the information privacy and security council to establish best practices for the use, storage, and security of personal information entrusted to businesses and government agencies and report findings and proposed legislation to the legislature.

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.