§487R-2  Destruction of personal information
records.  (a)  Any business or government agency that conducts business in
Hawaii and any business or government agency that maintains or otherwise
possesses personal information of a resident of Hawaii shall take reasonable
measures to protect against unauthorized access to or use of the information in
connection with or after its disposal.



(b)  The reasonable measures shall include:



(1)  Implementing and monitoring compliance with
policies and procedures that require the burning, pulverizing, recycling, or
shredding of papers containing personal information so that information cannot
be practicably read or reconstructed;



(2)  Implementing and monitoring compliance with
policies and procedures that require the destruction or erasure of electronic
media and other nonpaper media containing personal information so that the
information cannot practicably be read or reconstructed; and



(3)  Describing procedures relating to the adequate
destruction or proper disposal of personal records as official policy in the
writings of the business entity.



(c)  A business or government agency may
satisfy its obligation hereunder by exercising due diligence and entering into
a written contract with, and thereafter monitoring compliance by, another party
engaged in the business of records destruction to destroy personal information
in a manner consistent with this section.  Due diligence should ordinarily
include one or more of the following:



(1)  Reviewing an independent audit of the disposal
business' operations or its compliance with this chapter;



(2)  Obtaining information about the disposal business
from several references or other reliable sources and requiring that the
disposal business be certified by a recognized trade association or similar
third party with a reputation for high standards of quality review; or



(3)  Reviewing and evaluating the disposal business'
information security policies or procedures, or taking other appropriate
measures to determine the competency and integrity of the disposal business.



(d)  A disposal business that conducts business
in Hawaii or disposes of personal information of residents of Hawaii shall take
reasonable measures to dispose of records containing personal information by
implementing and monitoring compliance with policies and procedures that
protect against unauthorized access to, or use of, personal information during
or after the collection, transportation, and disposing of such information.



(e)  This chapter shall not apply to any of the
following:



(1)  Any financial institution that is subject to 15
U.S.C. sections 6801 to 6809, as amended;



(2)  Any health plan or healthcare provider that is
subject to and in compliance with the standards for privacy of individually
identifiable health information and the security standards for the protection
of electronic health information of the Health Insurance Portability and
Accountability Act of 1996; or



(3)  Any consumer reporting agency that is subject to
and in compliance with the Fair Credit Reporting Act, 15 U.S.C. sections 1681
to 1681x. [L 2006, c 136, pt of §2; am L 2008, c 19, §72]