Ask Reggi Your Question Now
Can you summarize HIRS Chapter 487N?
TRADE REGULATION AND PRACTICE > Security Breach of Personal Information
Short Summary
This legal document, governed by the Hawaii Revised Statutes, addresses the security breach of personal information. It applies to businesses, financial institutions, entities involved in records destruction, and government agencies. A security breach occurs when there is unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information, which creates a risk of harm to a person. However, the good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not considered a security breach, as long as it is not used unlawfully or disclosed without authorization. The document requires affected businesses and government agencies to provide notice to the affected person without unreasonable delay following the discovery or notification of a security breach. The notice should include a description of the incident, the type of personal information that was subject to unauthorized access, the actions taken to protect the information, a contact number for further information and assistance, and advice for affected individuals to remain vigilant. The notice can be provided through various methods such as written notice, electronic mail notice, telephonic notice, or substitute notice. The document also outlines compliance requirements for financial institutions and healthcare providers. Any waiver of the provisions in this document is considered void and unenforceable. Violations of this document may result in penalties of not more than $2,500 for each violation, and businesses may also be liable to the injured party for actual damages sustained as a result of the violation. Reasonable attorneys’ fees may be awarded to the prevailing party. Government agencies are exempt from penalties and liability under this document. Additionally, government agencies are required to submit a written report to the legislature within twenty days after discovery of a security breach, detailing information relating to the breach and any procedures implemented to prevent future breaches. The document also establishes the information privacy and security council within the department of accounting and general services in Hawaii, which is responsible for assessing and recommending initiatives to mitigate the negative impacts of identity theft incidents and reviewing annual reports submitted by government agencies.
Whom does it apply to?
Businesses, financial institutions, entities involved in records destruction, and government agencies
What does it govern?
Security breach of personal information
What are exemptions?
Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose, as long as it is not used unlawfully or disclosed without authorization
What are the Penalties?
Not more than $2,500 for each violation; liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party; reasonable attorneys' fees may be awarded to the prevailing party
Jurisdiction
Hawaii