| 47 | | - | SECTION 1. The legislature finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, Regular Session of 2019, convened the twenty-first century privacy law task force, the membership of which consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The concurrent resolution found that public use of the Internet and related technologies have significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of the State. The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in chapter 487N, Hawaii Revised Statutes, which requires the public to be notified of data breaches, should be updated and expanded. Many identifying data elements relating to individuals are collected, and, when exposed to the public in a data breach, can place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers. Accordingly, the purpose of this Act is to update the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, to include various personal identifiers and data elements that are found in more comprehensive laws. SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended follows: 1. By adding two new definitions to be appropriately inserted and to read: ""Identifier" means a common piece of information related specifically to an individual that is commonly used to identify the individual across technology platforms, including: (1) A first name or initial, and last name; (2) A user name for an online account; (3) A mobile phone number; or (4) An email address specific to the individual. "Specified data element" means any of the following: (1) An individual's social security number, either in its entirety or the last four or more digits; (2) Driver's license number, federal or state identification card number, or passport number; (3) A federal individual taxpayer identification number; (4) An individual's financial account number, or credit or debit card number; (5) A security code, access code, personal identification number, or password that would allow access to an individual's account; (6) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data; (7) A private key that is unique to an individual and is used to authenticate or sign an electronic record; and (8) Health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person. "Specified data element" does not include medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 and its enacting regulations or other applicable federal or state law." 2. By amending the definition of "personal information" to read: ""Personal information" means an [individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.] identifier in combination with one or more specified data elements. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records." SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows: "(g) The following businesses shall be deemed to be in compliance with this section: (1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; [and] (2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996[.]; and (3) Any licensee that is subject to the Insurance Data Security Law pursuant to article 3B, chapter 431." SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 5. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored. SECTION 6. This Act shall take effect on July 1, 2050. |
|---|
| 47 | + | SECTION 1. The legislature finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, Regular Session of 2019, convened the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. The concurrent resolution found that public use of the Internet and related technologies have significantly expanded in recent years and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of Hawaii. The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in chapter 487N, Hawaii Revised Statutes, which requires the public to be notified of data breaches, should be updated and expanded. Many identifying data elements relating to individuals are collected, and, when exposed to the public in a data breach, can place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers. Accordingly, the purpose of this Act is to update the definition of "personal information" in chapter 487N, Hawaii Revised Statutes, to include various personal identifiers and data elements that are found in more comprehensive laws. SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended follows: 1. By adding two new definitions to be appropriately inserted and to read: ""Identifier" means a common piece of information related specifically to an individual that is commonly used to identify the individual across technology platforms, including: (1) A first name or initial, and last name; (2) A user name for an online account; (3) A mobile phone number; or (4) An email address specific to the individual. "Specified data element" means any of the following: (1) An individual's social security number, either in its entirety or the last four or more digits; (2) Driver's license number, federal or state identification card number, or passport number; (3) A federal individual taxpayer identification number; (4) An individual's financial account number, or credit or debit card number; (5) A security code, access code, personal identification number, or password that would allow access to an individual's account; (6) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data; (7) A private key that is unique to an individual and that is used to authenticate or sign an electronic record; and (8) Health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person. "Specified data element" does not include medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 and its enacting regulations or other applicable federal or state law." 2. By amending the definition of "personal information" to read: "Personal information" means an [individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.] Identifier in combination with one or more specified data elements. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records." SECTION 3. Section 487N-2, Hawaii Revised Statutes, is amended by amending subsection (g) to read as follows: "(g) The following businesses shall be deemed to be in compliance with this section: (1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; [and] (2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996[.]; and (3) Any licensee that is subject to the Insurance Data Security Law pursuant to article 3B, chapter 431." SECTION 4. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 5. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored. SECTION 6. This Act shall take effect upon its approval. INTRODUCED BY: _____________________________ |
|---|