§487N-1 - Definitions.

§487N-1  Definitions.  As used in this
chapter, unless the context otherwise requires:

"Business" means a sole
proprietorship, partnership, corporation, association, or other group, however
organized, and whether or not organized to operate at a profit.  The term
includes a financial institution organized, chartered, or holding a license or
authorization certificate under the laws of the State, any other state, the
United States, or any other country, or the parent or the subsidiary of any
such financial institution.  The term also includes an entity whose business is
records destruction.

"Council" means the information
privacy and security council established under section 487N-5.

"Encryption" or "encrypted"
means the use of an algorithmic process to transform data into a form in which
the data is rendered unreadable or unusable without the use of a confidential
process or key.

"Government agency" means any
department, division, board, commission, public corporation, or other agency or
instrumentality of the State or of any county.

"Personal information" means
an individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the
data elements are not encrypted:

(1)  Social security number;

(2)  Driver's license number or Hawaii identification
card number; or

(3)  Account number, credit or debit card number,
access code, or password that would permit access to an individual's financial
account.

"Personal information" does not include
publicly available information that is lawfully made available to the general
public from federal, state, or local government records.

"Records" means any material on which
written, drawn, spoken, visual, or electromagnetic information is recorded or
preserved, regardless of physical form or characteristics.

"Redacted" means the rendering of
data so that it is unreadable or is truncated so that no more than the last
four digits of the identification number are accessible as part of the data.

"Security breach" means an incident
of unauthorized access to and acquisition of unencrypted or unredacted records
or data containing personal information where illegal use of the personal
information has occurred, or is reasonably likely to occur and that creates a
risk of harm to a person.  Any incident of unauthorized access to and
acquisition of encrypted records or data containing personal information along
with the confidential process or key constitutes a security breach.  Good faith
acquisition of personal information by an employee or agent of the business for
a legitimate purpose is not a security breach; provided that the personal
information is not used for a purpose other than a lawful purpose of the
business and is not subject to further unauthorized disclosure. [L 2006, c 135,
pt of §2; am L 2008, c 19, §69; am L Sp 2008, c 10, §5]