Data Breach Law in Hawaii


Data Breach Law in Hawaii

Statute Codes

Breach notification law for Hawaii is covered under H.R.S. § 487N-1 et seq., which includes S.B. 2290, and S.B. 2402. S.B. 2290, Act 135, was put into law on May 25, 2006. It became effective on January 1, 2007. S.B. 2402, Act 19, was put into law on April 17, 2008. It became effective on April 17, 2008.

Legal Requirements for Data Breach Law in Hawaii

In Hawaii, breach notification pertains to entities owning or licensing computerized PI, paper PI, or any other PI management. Entities are defined as corporations, proprietorships, partnerships, associations, or any variety of groups operating at a profit. Financial institutions licensed in Hawaii or the U.S., or other countries, and institutions acting as parent businesses for such groups, as well as government agencies, are also included under Hawaii’s definition of an entity. Additionally, should an entity not be local to Hawaii, if they have PI on the state’s residents, they are included under these statutes’ authority. Security breaches happen when unauthorized persons access PI that’s not encrypted or redacted. If a breach is likely to have occurred (or has occurred) and there’s a risk of harm to a Hawaii citizen, then it is considered a PI data breach. Good faith data acquisition isn’t a breach if the PI isn’t used improperly.

PI in Hawaii is the first name and last name, or first initial and last name, of a citizen combined with other relevant information; SSNs, driver’s licenses, identification card numbers, account numbers, credit card numbers, financial information, or similar items. PI doesn’t include information or government records legally available to the public at local, federal, or state levels.

Timeframes for Reporting a Breach

Breach notification becomes obligatory if a breach is discovered, or an entity is notified of a breach. Should 1,000 or more persons be affected, the AG must be notified. Also, the Office of Consumer Protection in Hawaii must be notified pertaining to the content, timing, and distribution of the breach. An entity must additionally notify consumer reporting agencies pertaining to timing, distribution, and affected content. This must be done in writing and without any kind of unexcused delay. For government agencies, a report must be given to local legislature within 20 days of breach discovery.

This report must show what happened, how many were affected, include a copy of the breach notification sent to affected parties, note whether law enforcement delayed reporting, and detail what preventative measures have been taken in response. If law enforcement restricts notification owing to investigation the 20-day period comes into effect from the time the investigation ends. If an entity has data on Hawaii’s residents that aren’t owned or licensed, whoever owns that information must be notified pertaining to PI breach immediately upon its discovery. Timing in all categories here must not incorporate unreasonable delay. Acceptable delay is time to collect contact information, determine how big the breach was, and restore affected systems to integrity.

Associated Penalties

Breach notification laws are enforced by Hawaii’s AG. Violations of these laws are subject to as much as $2,500 per violation.


Breach notification exceptions for Hawaii include groups complying with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer notice. This notice came about on March 7, 2005. Additionally, HIPAA-governed entities are accepted provided they remain in compliance with HIPAA.

Delays in the notification are allowed for law enforcement agencies conducting criminal investigations. However, a request for notification delay must be made in writing. Otherwise, the entity must document such requests, including which law enforcement personnel were involved, and their associated law enforcement agency. This notice must be made as swiftly as reasonably possible after notification delay is commanded by law enforcement.

Waivers are not permitted.

Contact Security Compliance Associates Today to Learn More about Information Security Breach Law in Hawaii

Security Compliance Associates (SCA) has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.