THE SENATE S.B. NO. 1038 THIRTY-THIRD LEGISLATURE, 2025 S.D. 1 STATE OF HAWAII H.D. 1 A BILL FOR AN ACT RELATING TO PRIVACY. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
THE SENATE S.B. NO. 1038
THIRTY-THIRD LEGISLATURE, 2025 S.D. 1
STATE OF HAWAII H.D. 1
THE SENATE
S.B. NO.
1038
THIRTY-THIRD LEGISLATURE, 2025
S.D. 1
STATE OF HAWAII
H.D. 1
A BILL FOR AN ACT
RELATING TO PRIVACY.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, regular session of 2019 (H.C.R. No. 225), convened the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. H.C.R. No. 225 found that public use of the Internet and related technologies had significantly expanded and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of the State. The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in section 487N-1, Hawaii Revised Statutes, and the requirement that the public be notified of data breaches, be updated and expanded. Many identifying data elements relating to individuals are collected, and, when exposed to the public in a data breach, can place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers. Accordingly, the purpose of this Act is to add a definition for "specified data element" and expand the definition of "personal information". SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows: 1. By adding a new definition to be appropriately inserted and to read: ""Specified data element" means any of the following: (1) An individual's social security number, either in its entirety or the last four or more digits; (2) Driver's license number, federal or state identification card number, or passport number; (3) A federal individual taxpayer identification number; (4) A military identification number; (5) An individual's financial account number, or credit or debit card number, unless redacted; (6) A security code, access code, personal identification number, or password that would allow access to an individual's account; (7) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, including a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data; (8) A private key that is unique to an individual and is used to authenticate or sign an electronic record; and (9) Health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person." 2. By amending the definition of "personal information" to read: ""Personal information" means [an]: (1) An individual's first initial or first name [or first initial], and last name; (2) A user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account; (3) A name used by an individual, including the combination of the first name, any initials in the name, whether at the beginning or middle of the name, or a nickname combined with the last name; (4) A user name for an online account; (5) A mobile or home phone number; or (6) An electronic mail address specific to the individual, in combination with any one or more [of the following data] specified data elements, when [either] the [name or the data elements are] information in paragraphs (1) to (6) is not encrypted[: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.], redacted, or otherwise protected by another method that renders the information unreadable or unusable. "Personal information" does not include publicly available information that is lawfully made available to the general public [from federal, state, or local government records]." SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date. SECTION 4. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored. SECTION 5. This Act shall take effect on July 1, 3000; provided that section 2 of this Act shall take effect on April 1, 2026.
SECTION 1. The legislature finds that House Concurrent Resolution No. 225, H.D. 1, S.D. 1, regular session of 2019 (H.C.R. No. 225), convened the twenty-first century privacy law task force, whose membership consisted of individuals in government and the private sector having an interest or expertise in privacy law in the digital era. H.C.R. No. 225 found that public use of the Internet and related technologies had significantly expanded and that a lack of meaningful government regulation has resulted in personal privacy being compromised. Accordingly, the legislature requested that the task force examine and make recommendations regarding existing privacy laws and rules to protect the privacy interests of the people of the State.
The legislature further finds that, following significant inquiry and discussion, the task force recommended that the outdated definition of "personal information" in section 487N-1, Hawaii Revised Statutes, and the requirement that the public be notified of data breaches, be updated and expanded. Many identifying data elements relating to individuals are collected, and, when exposed to the public in a data breach, can place an individual at risk of identity theft or may compromise the individual's personal safety. In its current form, chapter 487N, Hawaii Revised Statutes, is not comprehensive enough to cover the additional identifiers.
Accordingly, the purpose of this Act is to add a definition for "specified data element" and expand the definition of "personal information".
SECTION 2. Section 487N-1, Hawaii Revised Statutes, is amended as follows:
1. By adding a new definition to be appropriately inserted and to read:
""Specified data element" means any of the following:
(1) An individual's social security number, either in its entirety or the last four or more digits;
(2) Driver's license number, federal or state identification card number, or passport number;
(3) A federal individual taxpayer identification number;
(4) A military identification number;
(5) An individual's financial account number, or credit or debit card number, unless redacted;
(6) A security code, access code, personal identification number, or password that would allow access to an individual's account;
(7) Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, including a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data;
(8) A private key that is unique to an individual and is used to authenticate or sign an electronic record; and
(9) Health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person."
2. By amending the definition of "personal information" to read:
""Personal information" means [an]:
(1) An individual's first initial or first name [or first initial], and last name;
(2) A user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account;
(3) A name used by an individual, including the combination of the first name, any initials in the name, whether at the beginning or middle of the name, or a nickname combined with the last name;
(4) A user name for an online account;
(5) A mobile or home phone number; or
(6) An electronic mail address specific to the individual,
in combination with any one or more [of the following data] specified data elements, when [either] the [name or the data elements are] information in paragraphs (1) to (6) is not encrypted[:
(1) Social security number;
(2) Driver's license number or Hawaii identification card number; or
(3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.], redacted, or otherwise protected by another method that renders the information unreadable or unusable.
"Personal information" does not include publicly available information that is lawfully made available to the general public [from federal, state, or local government records]."
SECTION 3. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 4. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 5. This Act shall take effect on July 1, 3000; provided that section 2 of this Act shall take effect on April 1, 2026.
Report Title: Privacy; Personal Information; Security Breach; Notice; Identifier; Specified Data Element Description: Adds a definition for "specified data element" and expands the definition of "personal information". Effective 7/1/3000. (HD1) The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
Report Title:
Privacy; Personal Information; Security Breach; Notice; Identifier; Specified Data Element
Description:
Adds a definition for "specified data element" and expands the definition of "personal information". Effective 7/1/3000. (HD1)
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.