Hawaii legislators have introduced several bills to amend the state’s data breach notice law. Two of these legislative measures would eliminate the “risk of harm” trigger for breach notification in Hawaii. Currently, notice to Hawaii consumers is required only “where illegal use of the [breached] personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.”
A number of state breach notice laws have such provisions, and industry commenters responding to the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” have argued that breach notice should be required only when there is a significant risk of harm to individuals. These commenters argue that breach notice should be limited in this manner to prevent unduly alarming consumers and to avoid the dilution of breach notification for those cases in which a significant risk of harm does exist. In contrast to this approach, legislative measures in Hawaii would eliminate any “risk of harm” trigger for breach notification.
Specifically, these legislative measures would amend Hawaii’s breach notification requirements in the following respects:
- S.B. No. 728 and its companion bills in the House of Representatives would require notice whenever there is unauthorized disclosure of personal information and without respect to whether there is a risk of harm to affected individuals. S.B. 728 would also amend the private right of action authorized under Hawaii’s breach notice statute. It would authorize “any person who is affected by a security breach that creates a risk of harm of identity theft” to sue for actual or statutory damages. While this language incorporates a risk of harm trigger into the statute’s civil remedy provision, it contemplates private actions against businesses that have experienced a breach. Under current law, the private right of action provision is only available to bring suit against businesses that have both experienced a breach and violated their breach notice obligations. It also does not authorize statutory damages. Finally, S.B. No. 728 would require businesses to provide greater detail about the circumstances of a breach in the content of notices sent to consumers.
- S.B. 796 would amend the definition of security breach and thus require notice whenever there is “any incident of inadvertent, unauthorized disclosure of unencrypted or unredacted records or data containing personal information constitutes a security breach.” It would also require businesses to provide consumers a three year subscription to a credit reporting agency’s monitoring services whenever there is a disclosable breach and to offer affected individuals a choice of products from at least two different credit reporting agencies. Among its provisions, S.B. 796 provides as follows: “If a person elects not to subscribe to any credit monitoring and reporting services offered by a credit reporting agency, the person shall notify the responsible business or government agency in writing of the person’s choice to not subscribe to any credit monitoring or reporting services.” This appears to place a burden on affected consumers—not just affected businesses.
- S.B. 1162 and its companion bill in the House focus on government agency breaches. It would require mandatory training programs for agencies that manage personal information, and it would require government agencies affected by a security breach to provide affected individuals the costs of credit report or monitoring services for two years. It would also give additional responsibilities to the Hawaii Information Privacy and Security Council.