Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I skip having an information security program in place in Hawaii? What are the requirements?

Based on the context documents, it is not possible to skip having an information security program in place in Hawaii. Hawaii law requires that each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system [1.1].

Requirements for an information security program in Hawaii

The information security program shall be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer [1.2].

Regarding risk assessment, the licensee shall designate one or more employees, an affiliate, or a third-party service provider to act on behalf of the licensee who is responsible for the information security program, identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, assess the likelihood and potential damage of the reasonably foreseeable internal or external threats, assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, and implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards’ key controls, systems, and procedures [1.2].

If a business owns or licenses personal information of residents of Hawaii, conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system [2.3].

A qualified employee is an individual who is legally residing in Hawaii, is age eighteen years old or older, meets the financial requirements for a qualified employee as described in section 17-1709.2-10, has been unemployed for a minimum of six consecutive weeks immediately prior to applying for Hawaii premium plus, is employed by an eligible employer for a full-time position commencing on or after May 1, 2010, up to a date determined by the department that is no later than April 30, 2011, is enrolled in a health plan, offered by the eligible employer that meets all the requirements of the Hawaii Prepaid Health Care Act, is not an independent contractor, and is not eligible for participation in Hawaii premium plus as described in chapter 17-1709.3 or was transitioned by the department from Hawaii premium plus as described in chapter 17-1709.3 to Hawaii premium plus as described in this chapter [4.1].

In summary, it is not possible to skip having an information security program in place in Hawaii. The information security program must be designed to protect nonpublic information and the licensee’s information system, and the licensee must assess the risks and implement safeguards to manage the threats identified in its ongoing assessment. If a security breach occurs, the affected person must be notified without unreasonable delay. Additionally, businesses and government agencies must protect personal information and make reasonable efforts to ensure compliance with the law.

Source(s):
Jurisdiction

Hawaii