[§487N-5]  Information privacy and security
council; established; duties; reports.  (a)  There is established an
information privacy and security council within the department of accounting
and general services for administrative purposes only.  Members of the council
shall be appointed no later than September 1, 2008, by the governor without
regard to section 26-34 and shall be composed of the following representatives:



(1)  Executive agencies that maintain extensive
personal information in the conduct of their duties, including the department
of education, the department of health, the department of human resources
development, the department of human services, and the University of Hawaii, to
be selected by the governor;



(2)  The legislature, to be selected by the president
of the senate and the speaker of the house of representatives;



(3)  The judiciary, to be selected by the
administrator of the courts; and



(4)  The four counties, to be selected by the mayor of
each county; provided that the mayor of each county shall determine the extent
to which the county may or may not participate.



The comptroller shall serve as chair of the
council.



(b)  By January 1, 2009, the council shall
submit to the legislature a report of the council's assessment and recommendations
on initiatives to mitigate the negative impacts of identity theft incidents on
individuals.  The report shall emphasize assessing the merits of identity theft
passport and identity theft registry initiatives that have been implemented in
other states.



(c)  No later than June 30, 2009, the council
shall develop guidelines to be considered by government agencies in deciding
whether, how, and when a government agency shall inform affected individuals of
the loss, disclosure, or security breach of personal information that can
contribute to identify theft.  The guidelines shall provide a standardized,
risk-based notification process in the instance of a security breach.



(d)  The council shall review the individual
annual reports submitted by government agencies, pursuant to section 487N-7 and
submit a summary report to the legislature no later than twenty days prior to
the convening of the regular session of 2010 and each year thereafter.  The
summary report shall include the council's findings, significant trends, and
recommendations to protect personal information used by government agencies.



The initial report to the legislature also
shall include proposed legislation to amend section 487N-2 or any other law
that the council deems necessary to conform to the guidelines established under
subsection (c).



(e)  The comptroller may establish support
positions for the information and communication services division, including
but not limited to, legal support, information technology, human resources and personnel,
records management, and administrative support. [L Sp 2008, c 10, pt of §4]