Can I use third-party customer service tools that collect personal information in Hawaii? What are the requirements?

Personal Information Protection Requirements in Hawaii

If you are using third-party customer service tools that collect personal information in Hawaii, you must comply with the state’s personal information protection requirements.

According to HIRS 487R-2, any business or government agency that conducts business in Hawaii and maintains personal information of a resident of Hawaii must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. The reasonable measures include implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.

Furthermore, a business or government agency may satisfy its obligation by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include reviewing and evaluating the disposal business’ information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.

Therefore, if you are using third-party customer service tools that collect personal information in Hawaii, you must ensure that the third-party service provider complies with the state’s personal information protection requirements. You should review and evaluate the third-party service provider’s information security policies or procedures, or take other appropriate measures to determine the competency and integrity of the third-party service provider.

Exceptions

The personal information protection requirements do not apply to financial institutions subject to 15 U.S.C. sections 6801 to 6809, health plans or healthcare providers subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996, or consumer reporting agencies subject to and in compliance with the Fair Credit Reporting Act, 15 U.S.C. sections 1681 to 1681x [HIRS 487R-2(e)].

Additional Information

The documents provided do not contain any additional information relevant to the query.

Jurisdiction

Hawaii

• Privacy