Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Hawaii residents.
“Security Breach” means an incident or unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach.
“Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
“Redacted” means the rendering of data so that it is unreadable or truncated so that no more than the last four digits of the identification number are accessible as part of the data.
Covered Entities* / Third Party Recipients
Subject to statute:
Any business that owns or licenses personal information of residents, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes.
Third party recipients:
Any business located in Hawaii or that conducts business in Hawaii that maintains or possesses records or data with personal information of residents that the business does not own or license must notify the owner or licensee of any security breach immediately following discovery of the breach consistent with law enforcement needs.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or electronic notice must be provided to victims of a security breach without unreasonable delay, unless law enforcement determines that disclosure could impede a criminal investigation or jeopardize national security (in which case notification is delayed until authorized by law enforcement).
- Specific requirements for the form and content of notice are described in the statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 200,000 persons, or covered entity does not have sufficient contact information.
- Notice not required if the covered entity determines that it is not reasonably likely that illegal use of the personal information has or will occur or it is not reasonably likely that the security breach creates a risk of harm to a person.
If more than 1,000 persons are notified at one time under the Hawaii statute, notification must also be made to applicable consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted and the confidential process or key is not also compromised.
Exemption for good faith acquisition of personal information by an employee or agent of covered entity so long as personal information not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.
Certain financial institutes subject to federal regulations are exempt.
Any health plan or healthcare provider that is subject to HIPAA is exempt.
Notification to Regulator / Waiver
Hawaii Office of Consumer Protection must be notified if a breach involves over 1,000 residents.
A determination of no likelihood of harm:
Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Penalties not to exceed $2,500 per violation.
Violators may also be liable to injured parties for actual damages sustained as a result of the violation.
Reasonable attorney fees may also be awarded to the prevailing party.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by the attorney general or executive director of the office of consumer protection.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute