§487N-2  Notice of security breach. 
(a)  Any business that owns or licenses personal information of residents of
Hawaii, any business that conducts business in Hawaii that owns or licenses
personal information in any form (whether computerized, paper, or otherwise),
or any government agency that collects personal information for specific
government purposes shall provide notice to the affected person that there has
been a security breach following discovery or notification of the breach.  The
disclosure notification shall be made without unreasonable delay, consistent
with the legitimate needs of law enforcement as provided in subsection (c) of
this section, and consistent with any measures necessary to determine
sufficient contact information, determine the scope of the breach, and restore
the reasonable integrity, security, and confidentiality of the data system.



(b)  Any business located in Hawaii or any
business that conducts business in Hawaii that maintains or possesses records
or data containing personal information of residents of Hawaii that the
business does not own or license, or any government agency that maintains or
possesses records or data containing personal information of residents of
Hawaii shall notify the owner or licensee of the information of any security
breach immediately following discovery of the breach, consistent with the
legitimate needs of law enforcement as provided in subsection (c).



(c)  The notice required by this section shall
be delayed if a law enforcement agency informs the business or government
agency that notification may impede a criminal investigation or jeopardize
national security and requests a delay; provided that such request is made in
writing, or the business or government agency documents the request contemporaneously
in writing, including the name of the law enforcement officer making the
request and the officer's law enforcement agency engaged in the investigation. 
The notice required by this section shall be provided without unreasonable
delay after the law enforcement agency communicates to the business or
government agency its determination that notice will no longer impede the
investigation or jeopardize national security.



(d)  The notice shall be clear and
conspicuous.  The notice shall include a description of the following:



(1)  The incident in general terms;



(2)  The type of personal information that was subject
to the unauthorized access and acquisition;



(3)  The general acts of the business or government
agency to protect the personal information from further unauthorized access;



(4)  A telephone number that the person may call for
further information and assistance, if one exists; and



(5)  Advice that directs the person to remain vigilant
by reviewing account statements and monitoring free credit reports.



(e)  For purposes of this section, notice to
affected persons may be provided by one of the following methods:



(1)  Written notice to the last available address the
business or government agency has on record;



(2)  Electronic mail notice, for those persons for
whom a business or government agency has a valid electronic mail address and
who have agreed to receive communications electronically if the notice provided
is consistent with the provisions regarding electronic records and signatures
for notices legally required to be in writing set forth in 15 U.S.C. section
7001;



(3)  Telephonic notice, provided that contact is made
directly with the affected persons; and



(4)  Substitute notice, if the business or government
agency demonstrates that the cost of providing notice would exceed $100,000 or
that the affected class of subject persons to be notified exceeds two hundred
thousand, or if the business or government agency does not have sufficient
contact information or consent to satisfy paragraph (1), (2), or (3), for only
those affected persons without sufficient contact information or consent, or if
the business or government agency is unable to identify particular affected
persons, for only those unidentifiable affected persons.  Substitute notice
shall consist of all the following:



(A)  Electronic mail notice when the business
or government agency has an electronic mail address for the subject persons;



(B)  Conspicuous posting of the notice on the
website page of the business or government agency, if one is maintained; and



(C)  Notification to major statewide media.



(f)  In the event a business provides notice to
more than one thousand persons at one time pursuant to this section, the
business shall notify in writing, without unreasonable delay, the State of
Hawaii's office of consumer protection and all consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis, as defined in 15
U.S.C. section 1681a(p), of the timing, distribution, and content of the
notice.



(g)  The following businesses shall be deemed
to be in compliance with this section:



(1)  A financial institution that is subject to the federal
Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice published in the Federal Register on March 29,
2005, by the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the Office of the Comptroller of the Currency,
and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any
revisions, additions, or substitutions relating to the interagency guidance;
and



(2)  Any health plan or healthcare provider that is
subject to and in compliance with the standards for privacy or individually
identifiable health information and the security standards for the protection
of electronic health information of the Health Insurance Portability and
Accountability Act of 1996.



(h)  Any waiver of the provisions of this
section is contrary to public policy and is void and unenforceable. [L 2006, c
135, pt of §2; am L 2008, c 19, §70]