Can I avoid having a data breach response plan in Hawaii? What are the requirements?

Data Breach Response Plan Requirements in Hawaii

Based on the documents provided, it is not possible to avoid having a data breach response plan in Hawaii if you are a licensee in possession of nonpublic information. The Hawaii Revised Statutes (HIRS) 431:3B-207 requires each licensee to establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The incident response plan shall address several areas, including the internal process for responding to a cybersecurity event, the goals of the incident response plan, the definition of clear roles, responsibilities, and levels of decision-making authority, external and internal communications and information sharing, identification of requirements for the remediation of any identified weaknesses in information systems and associated controls, documentation and reporting regarding cybersecurity events and related incident response activities, and the evaluation and revision, as necessary, of the incident response plan following a cybersecurity event ^[1.1].

Furthermore, any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system ^[2.1].

Amendment of Data Breach Response Plan

The contingency plan must be reviewed, and immediately amended, if necessary, whenever: (a) Applicable regulations are revised; (b) The plan fails in an emergency; (c) The facility changes – in its design, construction, operation, maintenance, or other circumstances – in a way that materially increases the potential for fires, explosions, or releases of hazardous waste or hazardous waste constituents, or changes the response necessary in an emergency; (d) The list of emergency coordinators changes; or (e) The list of emergency equipment changes ^[6.2].

Therefore, if you are a licensee in possession of nonpublic information, you must have an incident response plan in place that meets the requirements of HIRS 431:3B-207. The plan must be reviewed and amended whenever applicable regulations are revised, the plan fails in an emergency, or there are changes in the facility that materially increase the potential for cybersecurity events or changes the response necessary in an emergency.

Source(s):

• [1.1] Incident response plan.
• [2.1] Notice of security breach.
• [6.2] Amendment of contingency plan

Jurisdiction

Hawaii

• Privacy