Can I ignore my obligations as a service provider with access to personal information in Hawaii? What are the requirements?

Based on the documents provided, as a service provider with access to personal information in Hawaii, you cannot ignore your obligations to protect personal information. Hawaii law requires businesses or government agencies that maintain or possess personal information of a resident of Hawaii to take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal ^[1.1].

Obligations of Service Providers

As a service provider, you are required to implement and monitor compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information ^[1.1]. You may also satisfy your obligation by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with Hawaii law ^[1.1].

Oversight of Third-Party Service Provider Arrangements

If you use a third-party service provider, you must exercise due diligence in selecting the provider and require them to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third-party service provider ^[3.1].

Notice of Security Breach

If there is a security breach, you must provide notice to the affected person without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system ^[2.3].

In summary, as a service provider with access to personal information in Hawaii, you have obligations to protect personal information. You must implement and monitor compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information. If you use a third-party service provider, you must exercise due diligence in selecting the provider and require them to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third-party service provider. If there is a security breach, you must provide notice to the affected person without unreasonable delay.

Source(s):

• [1.1] Destruction of personal information records
• [3.1] Oversight of third-party service provider arrangements.
• [2.3] Notice of security breach.

Jurisdiction

Hawaii

• Privacy