When 1,000 or more consumers are notified, reporting is required to the State of Hawaii’s Office of Consumer Protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

There are specifically defined requirements for consumer notification. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Hawaii’s security breach law applies to personal information in any format (whether computerized, paper or otherwise).

In addition to the monetary penalties for violations of security breach notification and reporting, the Attorney General or the Executive Director of the Office of Consumer Protection may bring an action, and a business in violation may be liable for actual damages suffered by a consumer. Organizations may be fined or penalized for Vendor violations. Organizations may be subject to penalties up to $2,500 for each violation.

Hawaii passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

Organizations conducting business in HI must take reasonable measures to protect against unauthorized access to or use of personal information in connection with or after its disposal. Organizations contracting with a data disposal Vendor must monitor and exercise due diligence ensuring the required policies and procedures are in place for the destruction of records, review an independent audit, obtain reliable professional references, require trade association certification.

Vendors in the business of destroying records must have policies and procedures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Vendors in the business of destroying records must have policies and procedures in place for the protection of personal information during and after collection, transportation, and destruction.