Preventing Data Breach Incidents in the State of Hawaii

Statute HRS § 487N-1, also known as Hawaii’s Data Breach Notification Statute, is a security breach notification law that was passed in 2013. Hawaii’s Data Breach Notification Statute was passed for the purpose of creating a legal framework that would govern data breach incidents within the state of Hawaii. To this end, Statute HRS § 487N-1 establishes the various steps and measures that organizations and businesses operating within the state of Hawaii must adhere to in the event of a data breach. Furthermore, the statute also establishes the punishments that said parties stand to face under the law should they fail to comply with all requirements and obligations that were set forth.

How is the term security breach?

Under Hawaii’s Data Breach Notification Statute, a security breach is defined as “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.”

What are the obligations of businesses and organizations?

Under Hawaii’s Data Breach Notification Statute, businesses and organizations that collect personal information concerning citizens residing within the state are required to fulfill a number of obligations should the personal information of said citizens be disclosed in a data breach or other related data security incident. Most notably, businesses and organizations are required to provide all affected parties with a consumer notification effectively detailing the scope of the breach, the information that was disclosed as a result of the breach, and any security measures that were in place to prevent such a breach. Moreover, the law also mandates that these notices are provided to consumers without undue delay, and must also contain further information, including:

• A description of the security incident that took place, in general terms.
• A telephone number or other form of contact information that affected consumers can use to retrieve further information and assistance regarding the breach.
• Advice or insight concerning the breach that will allow consumers to “remain vigilant by reviewing account statements and monitoring free credit reports.”
• What steps the business or organization that has experienced the breach has taken to ensure the security, integrity, and confidentiality of the systems said parties use to collect and process personal information have been reasonably restored.

What’s more, in addition to providing consumers with notifications concerning the ramifications of any data breaches that have occurred, businesses and organizations are also required to provide written notice to the three major U.S. credit reporting agencies (Equifax, Experian, and TransUnion) in the event that a data breach affects more than 1,000 Hawaiian residents. Additionally, in instances where Hawaiian state government agencies experience a data breach, said entities are also required to provide written notice to the Hawaii State Legislature within 20 days after such an incident is discovered. These notices must detail the nature of the breach, the number of individuals that were affected by the breach, and whether the notice was delayed due to the actions of law enforcement officials, among other pertinent information.

What are the penalties for violating Statute HRS § 487N-1?

In terms of the enforcement of Hawaii’s Data Breach Notification Statute, Statute HRS § 487N-1 is enforced by both the Hawaii Attorney General and the Hawaii Office of Consumer Protection. Subsequently, businesses and organizations within Hawaii that violate the various provisions established by Statute HRS § 487N-1 are subject to a number of penalties and punishments. Such sanctions include a monetary penalty of up to $2,500 for each violation that a particular business or organization is charged with committing, as well as civil actions that Hawaiian citizens can bring against said entities should they be adversely affected by a data breach that has occurred. Such civil actions can include actual damages and attorney fees, as well as other relevant legal fees.

Although only a handful of U.S. states have passed comprehensive data privacy laws as of 2022, including Virginia’s Consumer Data Protection Act and California’s Privacy Rights Act, many states have passed statutes related to data breaches. To this point, Statute HRS § 487N-1 regulates data breaches and related data security occurrences within the state of Hawaii by establishing various requirements that businesses and organizations must comply with when said incidents take place. As such, Hawaiian residents can rest assured they will have some avenue for recourse in the event that their personal information is disclosed as a result of a data breach.