Risk of Harm

Hawaii legislators have introduced several bills to amend the state’s data breach notice law.  Two of these legislative measures would eliminate the “risk of harm” trigger for breach notification in Hawaii.  Currently, notice to Hawaii consumers is required only “where illegal use of the [breached] personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.” 

A number of state breach notice laws have such provisions, and industry commenters responding to the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” have argued that breach notice should be required only when there is a significant risk of harm to individuals.  These commenters argue that breach notice should be limited in this manner to prevent unduly alarming consumers and to avoid the dilution of breach notification for those cases in which a significant risk of harm does exist.  In contrast to this approach, legislative measures in Hawaii would eliminate any “risk of harm” trigger for breach notification. 

Specifically, these legislative measures would amend Hawaii’s breach notification requirements in the following respects:Continue Reading Hawaii Considers Amendments To Data Breach Notification Law