Hawaii Consumer Privacy Law

Primary law

Hawaii's breach-notification duty applies to any business that owns or licenses personal information of Hawaii residents — in any form, including paper — and to government agencies collecting personal information.

Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach.

See Haw. Rev. Stat. § 487N-2(a).

Primary law

Chapter 487J prohibits businesses and government agencies from publicly communicating an individual's entire social security number, among other SSN-handling restrictions.

Except as otherwise provided in subsection (b), a business or government agency may not do any of the following: (1) Intentionally communicate or otherwise make available to the general public an individual's entire social security number;

See Haw. Rev. Stat. § 487J-2(a).

Primary law

Chapter 487R requires any business or government agency that conducts business in Hawaii or possesses Hawaii residents' personal information to take reasonable measures to protect it in connection with or after its disposal.

Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

See Haw. Rev. Stat. § 487R-2(a).

Primary law

Hawaii's UDAP statute declares unfair methods of competition and unfair or deceptive acts or practices in any trade or commerce unlawful — the state-law hook for privacy misrepresentations.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are unlawful.

See Haw. Rev. Stat. § 480-2(a).

Primary law

A covered business under the breach act is any sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized for profit — there is no size threshold.

“Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized, and whether or not organized to operate at a profit.

See Haw. Rev. Stat. § 487N-1.

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

GLBA bars a financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless it has provided the consumer the required privacy notice.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

HIPAA gives individuals a right to adequate notice of the uses and disclosures of protected health information a covered entity may make, and of their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

COPPA makes it unlawful for an operator of a website or online service directed to children, or an operator with actual knowledge it is collecting personal information from a child, to collect that information in violation of the FTC's regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

Hawaii's UDAP statute is construed in line with FTC and federal-court interpretations of FTC Act § 5, so federal deception standards for privacy statements carry over to state-law exposure.

In construing this section, the courts and the office of consumer protection shall give due consideration to the rules, regulations, and decisions of the Federal Trade Commission and the federal courts interpreting section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.

See Haw. Rev. Stat. § 480-2(b).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

A GLBA financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless it has provided the consumer a privacy notice that complies with the federal requirements.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A COPPA operator must provide notice on its website of what information it collects from children, how it uses that information, and its disclosure practices.

require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information

See 15 U.S.C. § 6502(b)(1)(A)(i).

Primary law

A business can satisfy its records-destruction obligation through due diligence plus a written contract with a records-destruction vendor, with ongoing monitoring of the vendor's compliance.

A business or government agency may satisfy its obligation hereunder by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section.

See Haw. Rev. Stat. § 487R-2(c).

Primary law

A business holding Hawaii residents' personal information that it does not own or license must notify the owner or licensee of a security breach immediately following discovery.

Any business located in Hawaii or any business that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c).

See Haw. Rev. Stat. § 487N-2(b).

Primary law

A disposal business operating in Hawaii must itself take reasonable measures to protect personal information against unauthorized access or use during and after collection, transportation, and disposal.

A disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information.

See Haw. Rev. Stat. § 487R-2(d).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers — selecting and retaining providers capable of maintaining appropriate safeguards, requiring them by contract to implement and maintain such safeguards, and periodically assessing them.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f).

Primary law

The HIPAA business-associate contract must establish the permitted and required uses and disclosures of protected health information and bind the business associate to appropriate safeguards, breach reporting to the covered entity, and flow-down of the same restrictions to subcontractors.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e)(2).

Primary law

Breach notice is the one disclosure Hawaii law guarantees residents — a business that owns or licenses a resident's personal information must notify the affected person of a security breach.

Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach.

See Haw. Rev. Stat. § 487N-2(a).

Primary law

A business or government agency may not require transmission of an entire social security number over the internet unless the connection is secure or the number is encrypted.

Require an individual to transmit the individual's entire social security number over the Internet, unless the connection is secure or the social security number is encrypted.

See Haw. Rev. Stat. § 487J-2(a)(3).

Primary law

A GLBA financial institution must give the consumer the opportunity to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before any such disclosure.

A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless— (A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party; (B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and (C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.

See 15 U.S.C. § 6802(b)(1).

Primary law

COPPA gives a parent the right to refuse to permit an operator's further use or maintenance, or future online collection, of the child's personal information.

the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child

See 15 U.S.C. § 6502(b)(1)(B)(ii).

Primary law

A HIPAA covered entity's notice of privacy practices must state the individual's rights, including the rights to inspect and copy, to amend, and to receive an accounting of disclosures of protected health information.

The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: (A) The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under § 164.522(a)(1)(vi); (B) The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable; (C) The right to inspect and copy protected health information as provided by § 164.524; (D) The right to amend protected health information as provided by § 164.526; (E) The right to receive an accounting of disclosures of protected health information as provided by § 164.528;

See 45 C.F.R. § 164.520(b)(1)(iv).

Primary law

Breach notice is owed to affected persons following discovery of a breach — covering personal information in any form, including paper — and must be made without unreasonable delay, subject to law-enforcement needs and scoping measures.

Any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

See Haw. Rev. Stat. § 487N-2(a).

Primary law

A security breach requires unauthorized access to and acquisition of unencrypted or unredacted personal information plus actual or reasonably likely illegal use creating a risk of harm; encrypted data is covered only if the confidential process or key is also acquired.

“Security breach” means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach.

See Haw. Rev. Stat. § 487N-1.

Primary law

Personal information is a name combined with an unencrypted Social Security number, driver's license or Hawaii ID number, or a financial-account or card number with its access code or password.

“Personal information” means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

See Haw. Rev. Stat. § 487N-1.

Primary law

Hawaii prescribes the notice contents: a clear and conspicuous notice describing the incident, the data types involved, protective steps taken, a contact number if one exists, and vigilance advice.

The notice shall be clear and conspicuous. The notice shall include a description of the following: (1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the business or government agency to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

See Haw. Rev. Stat. § 487N-2(d).

Primary law

Notice may be written, electronic (with consent), or telephonic, with substitute notice available when cost exceeds $100,000, the affected class exceeds 200,000, or contact information is insufficient.

For purposes of this section, notice to affected persons may be provided by one of the following methods: (1) Written notice to the last available address the business or government agency has on record; (2) Electronic mail notice, for those persons for whom a business or government agency has a valid electronic mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. section 7001; (3) Telephonic notice, provided that contact is made directly with the affected persons; and (4) Substitute notice, if the business or government agency demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business or government agency does not have sufficient contact information or consent to satisfy paragraph (1), (2), or (3), for only those affected persons without sufficient contact information or consent, or if the business or government agency is unable to identify particular affected persons, for only those unidentifiable affected persons.

See Haw. Rev. Stat. § 487N-2(e).

Primary law

When notice goes to more than 1,000 persons at one time, the business must also notify Hawaii's Office of Consumer Protection and the nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

In the event a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify in writing, without unreasonable delay, the State of Hawaii's office of consumer protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. section 1681a(p), of the timing, distribution, and content of the notice.

See Haw. Rev. Stat. § 487N-2(f).

Primary law

Financial institutions subject to the federal interagency breach guidance and HIPAA-compliant health plans and healthcare providers are deemed in compliance with Hawaii's breach-notice section.

The following businesses shall be deemed to be in compliance with this section: (1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published in the Federal Register on March 29, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, or subject to 12 C.F.R. Part 748, and any revisions, additions, or substitutions relating to the interagency guidance; and (2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.

See Haw. Rev. Stat. § 487N-2(g).

Primary law

The breach-notification duty cannot be waived by contract — any waiver is void and unenforceable as contrary to public policy.

Any waiver of the provisions of this section is contrary to public policy and is void and unenforceable.

See Haw. Rev. Stat. § 487N-2(h).

Primary law

Hawaii's breach chapter gives the injured party a private action — a violating business is liable for actual damages, and the court may award reasonable attorneys' fees to the prevailing party.

In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party.

See Haw. Rev. Stat. § 487N-3(b).

Primary law

Public enforcement of the breach chapter carries penalties of up to $2,500 per violation, in actions by the attorney general or the executive director of the Office of Consumer Protection; no action lies against a government agency.

Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.

See Haw. Rev. Stat. § 487N-3(a).

Primary law

A consumer injured by an unfair or deceptive practice may sue and recover the greater of $1,000 or treble damages, plus reasonable attorney's fees and costs.

Any consumer who is injured by any unfair or deceptive act or practice forbidden or declared unlawful by section 480-2: (1) May sue for damages sustained by the consumer, and, if the judgment is for the plaintiff, the plaintiff shall be awarded a sum not less than $1,000 or threefold damages by the plaintiff sustained, whichever sum is the greater, and reasonable attorney's fees together with the costs of suit;

See Haw. Rev. Stat. § 480-13(b)(1).

Primary law

The SSN-protection chapter carries the same private right of action as the breach chapter — actual damages for the injured party plus possible attorneys' fees.

In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party.

See Haw. Rev. Stat. § 487J-3(b).

Primary law

Public enforcement of the SSN-protection chapter carries penalties of up to $2,500 per violation, in actions by the attorney general or the executive director of the Office of Consumer Protection; no such action may be brought against a government agency.

Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.

See Haw. Rev. Stat. § 487J-3(a).

Primary law

Public enforcement of the records-destruction chapter carries penalties of up to $2,500 per violation, in actions by the attorney general or the executive director of the Office of Consumer Protection; no such action may be brought against a government agency.

Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.

See Haw. Rev. Stat. § 487R-3(a).

Primary law

The records-destruction chapter also carries a private action for actual damages with possible attorneys' fees.

In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party.

See Haw. Rev. Stat. § 487R-3(b).

Primary law

Standing to sue over unfair or deceptive acts or practices is limited to consumers, the attorney general, and the director of the Office of Consumer Protection.

No person other than a consumer, the attorney general or the director of the office of consumer protection may bring an action based upon unfair or deceptive acts or practices declared unlawful by this section.

See Haw. Rev. Stat. § 480-2(d).

Primary law

UDAP violations carry a civil penalty of $500 to $10,000 per violation, collected in civil actions by the attorney general or the director of the Office of Consumer Protection, with each day a separate violation.

Any person, firm, company, association, or corporation violating any of the provisions of section 480-2 shall be fined a sum of not less than $500 nor more than $10,000 for each violation, which sum shall be collected in a civil action brought by the attorney general or the director of the office of consumer protection on behalf of the State.

See Haw. Rev. Stat. § 480-3.1.

Primary law

A UDAP violation that targets or injures an elder can draw an additional civil penalty of up to $10,000 per violation on top of any other penalty.

If a person commits a violation under section 480-2 which is directed toward, targets, or injures an elder, a court, in addition to any other civil penalty, may impose a civil penalty not to exceed $10,000 for each violation.

See Haw. Rev. Stat. § 480-13.5(a).