Senate Bill 1178 for An Act Relating to Privacy was introduced on, 20 January 2023, to the Hawaii Legislature, passed first reading on 23 January 2023, and was thereafter referred to the Commerce and Consumer Protection Committee on 27 January 2023. In particular, the bill aims to modernise the definition of personal information for the purposes of notifying affected persons of data and security breaches. More specifically, the bill amends the definition of personal information under §487N-1 et seq. of the Hawaii Revised Statutes to identifier in combination with one or more specified data elements, maintaining the exemption that personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

To this end, the bill defines 'identifier' as 'a common piece of information related specifically to an individual that is commonly used to identify the individual across technology platforms, including:

• a first name or initial, and last name;
• a username for an online account;
• a mobile phone number; or
• an email address specific to the individual'.

On the other hand, the bill defines 'specified data elements' as 'any of the following:

• an individual's social security number, either in its entirety or the last four or more digits;
• a driver's license number, federal or state identification card, or passport number;
• a federal individual taxpayer identification number;
• an individual's financial account number, or credit or debit card number;
• a security code, access code, personal identification number, or password that would allow access to an individual's account;
• unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a finger or voice print, retina or iris image, or other unique physical or digital representation of biometric data;
• a private key that is unique to an individual and that is used to authenticate or sign an electronic record; and
• a health insurance policy number, subscriber identification number, medical identification number, or any other unique number used by a health insurer to identify a person'.

Furthermore, the bill clarifies that medical information that is protected by the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and its enacting regulations or other applicable federal or state law does not constitute 'specified data elements'.

You can read the bill here and track its progress here.

UPDATE (21 February 2023)

Bill on definition of personal information for data and security breaches passes Commerce and Consumer Protection Committee

The bill was passed with amendments at second reading by the Commerce and Consumer Protection Committee, on 17 February 2023, and thereafter referred to the Senate Judiciary Committee.

You can read the bill here and track its progress here.