Hawaii Revised Statutes § 487N et seq
Type of Data Covered: "Any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics."
Is Breach Defined?
“Security breach” means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach. See §487N-1.
When is notice required?
Notice is required for all residents affected by the breach and must be delivered "without unreasonable delay, consistent with the legitimate needs of law enforcement...and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system." Written, telephonic, email, and substitute notice are all acceptable depending on the circumstances and if over 1,000 residents are affected then consumer reporting agencies must be notified as well. Hawaii also has minimum requirements for the content of the notice and it must include the incident in general terms, the type of information affected, the general actions taken to prevent further unauthorized access, a telephone number to contact someone at the company, and advice on how to deal with the situation.
What are the penalties for non-compliance?
Violations have their own section of the law, §487N-3, which reads as follows:
(a) Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.
(b) In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party. No such action may be brought against a government agency.
(c) The penalties provided in this section shall be cumulative to the remedies or penalties available under all other laws of this State.