Hawaii Law Briefing – Hawaii Security Breach Law and Identity Theft Notification

Identity theft is one of the fastest growing crimes committed throughout the United States. Criminals who steal personal information use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other people’s identities.

Hawaii has the sixth worst record of identity theft in the nation, according to a 2007 report.

I. Hawaii’s Security Breach Law

Identity theft in Hawaii has resulted in significant losses to both businesses and consumers. This epidemic motivated the Hawaii legislature in 2006 to pass several bills whose purpose is to provide increased protection to Hawaii residents from identity theft:

Act 135: Requires businesses and government agencies that keep confidential information about consumers to notify those consumers if that information has been compromised by an unauthorized disclosure;

Act 136: Requires reasonable measures to protect against unauthorized access to personal information to be taken when disposing of records;

Act 137: Restricts businesses and government agencies from disclosing/requiring social security numbers to/from the public;

Act 138: Permits consumer who has been the victim of identity theft to place a security freeze on their credit report;

Act 139: Intentional or knowing possession without authorization of confidential personal information is a class C felony.

Together, the bills signed into law by Governor Linda Lingle as HRS Chapter 487R impose obligations on businesses in Hawaii to notify residents whenever their personal information maintained by the business has been compromised by unauthorized disclosure.

HRS Chapter 487R does not cover financial institutions subject to the Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice, or Health plans and providers subject to HIPAA.

The underlying policy behind HRS Chapter 487R is that prompt notification will help potential victims to act against identity theft by initiating steps to monitor their credit reputation. Thus, it is critical that any business subject to HRS Chapter 487R audit the manner in which confidential personal information is maintained and have a security breach team prepared to comply with the notice obligations and effectively deal with any breach of personal information.

II. Security Breach

HRS 487R imposes obligations on the part of Hawaii businesses to notify an individual whenever the individual’s personal information that is maintained by the business has been compromised by unauthorized disclosure and to do so in a timely manner.

Under the statute, “Personal Information” consists of an individual’s first name or first initial AND last name in combination with any one or more of the following data elements, when either the name OR the data elements are not encrypted: Social Security Number, driver’s license or Hawaii Identification Number; or an account number, credit or debit card number, or password that would permit access to an individual’s financial account.

The personal information is protected if on a “record.” A “record” is any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. Thus, a “record” can be in digital form or on a paper document, which differs significantly from other states that might cover only digital information.

The notice obligations are triggered when a “security breach” occurs. A “security breach” is defined as an incident of unauthorized access to AND acquisition of unencrypted or unredacted records of data containing personal information, where illegal use of the personal information has occurred, OR is reasonably likely to occur; AND that creates a risk of harm to a person. As the definition indicates many times it is difficult to determine whether information has been “acquired” or to the extent that a “risk of harm” exists.

Several states, including Alabama, Connecticut, Delaware, and Florida have devised a risk of harm exception. Such exception generally relieves the business from the notice obligation requirement after consultation with law enforcement. Since Hawaii law has no such exception most incidents of unencrypted/unredacted theft or loss of records containing personal information should carry the presumption that illegal use is likely to occur and a risk of harm. In addition, even if a statutory obligation does not arise other legal obligations may exist with respect to the theft or loss.

III. Notification Obligations

To the extent a security breach has occurred, and personal information has been compromised, the business must satisfy the notification obligations imposed by HRS Chapter 487R. Form notices are made part of this article for educational purposes only. The notice obligations must be satisfied without “unreasonable delay.” The only exception would be if a law enforcement agency informs the business in writing that notification may impede a criminal investigation or jeopardize national security. Once it has been determined that the notice will no longer impede the investigation, the notice must be promptly provided.

Under HRS Chapter 487R, the business must notify the resident (and the Office of Consumer Protection/credit reporting agencies where notice has been provided to 1,000 persons).
The notice must be given to the last available address. The notice may be sent to the resident’s email address only if the person has “opted in” to receive notices in that manner. Direct telephonic notice may be given under the statute, but generally is not the recommended way to notify the resident given the potential legal risk with such form of communication.

Under the statute, “substitute notice” may be provided where the costs to provide if the business can demonstrate that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business does not have sufficient contact information or is unable to identify particular affected persons.

Substitute notice shall consist of emailing the person when the email address is known, the conspicuous posting of a notice on the website maintained by the business, and notification of the security breach to major statewide media.

IV. Penalties

Statutory penalties can be significant. However, government agencies are exempt from statutory penalties under HRS ยง 487R-3. Under the law, businesses can be fined not more than $2,500 for each violation. Such penalty can add up quickly where hundreds or even thousands of Hawaii residents are not informed that their personal information has been compromised.

In addition, a court may impose an injunction on the business and the business may be liable for actual damages and attorneys’ fees.

V. Final Word

Hawaii and other states have taken significant steps to combat the growing epidemic of identity theft. It is important that both Hawaii businesses and employers, and consumers take reasonable steps to protect their interests and reputations.

For Hawaii employers and businesses:

o Enter into agreements imposing obligations on third-party companies to handle sensitive and personal information of your employees and customers in a reasonable manner and to report security breaches immediately;

o Ensure reasonable administrative, physical, and technical safeguards are placed over the personal information handled both the third-party company and internally;

o Periodically have the IT department conduct a risk analysis over electronically-stored information and computer network systems of the company;

o Have IT draft and periodically review comprehensive security procedures to limit vulnerability of the company’s systems and a plan of action;

o Train and retrain employees on privacy policies;

o Ensure company employees collect only the minimum amount of information necessary to accomplish the business purpose.

For consumers:

o Ask your employer, doctor, bank, etc., what steps are taken to protect against misappropriation of private information;

o Treat your mail and trash carefully; use cross cut shredders;

o Use locked mailboxes;

o Keep private information kept in your home hidden and secure;

o Don’t give out private information over the phone;

o Use care when using your computer; create strong passwords;

o Use common sense and stay alert (for example, write to your creditor as soon as you believe you have not timely received a billing statement);

o File a police report and obtain the police report number when you learn that your personal information has been compromised and close accounts, e.g., credit card, bank accounts, etc.;

o Follow up with law enforcement in writing and maintain a file; dispute bad checks written directly with merchants;

o Place a fraud alert/freeze on your credit files (Equifax, Experian or Transunion);

o Periodically obtain your credit report and look it over carefully; note inquiries from companies you did not contact, accounts you did not open, debts you cannot explain and report such information immediately to law enforcement.

SAMPLE LETTER 1

Data Acquired: Account Number, Credit Card or Debit Number, Access Code or Password that would permit access to Individual’s Financial Account

Dear

We are writing to you because of a recent security incident at [name of organization].
[Describe what happened in general terms, what type of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

To protect yourself from the possibility of identity theft, we recommend that you immediately contact [credit card or financial account issuer] at [phone number] and tell them that your account may have been compromised. Continue to monitor your account statements.

If you want to open a new account, ask [name of account insurer] to give you a PIN or password. This will help control access to the account.

To further protect yourself, we recommend that you review your credit reports at least every three months for at least the next year. Just call any one of the three credit reporting agencies at a number below. Ask for instructions on how to get a free copy of your credit report from each.

Experian Equifax TransUnion
888-397-3742 888-766-0008 800-680-7289

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at ______________ [or the Federal Trade Commission at ___________________]. If there is anything [name of your organization] can do to assist you, please call [toll-free (if phone number].

[Closing]

SAMPLE LETTER 2

Data Acquired: Driver’s License or Hawai’i Identification Card Number

Dear

We are writing to you because of a recent security incident at [name qt. organization].
[Describe what happened in general terms, what kind of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

Since your Driver’s License [or Hawai’i Identification Card] number was involved, we recommend that you immediately contact your local DMV office to report the theft. Ask them to put a fraud alert on your license.

To further protect yourself, we recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at a number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from ail of them, with instructions on how to get a free copy of your credit report from each.

Experian Equifax Trans-Union
888-397-3742 888-766-0008 800-680-7289

When you receive your credit reports, look them over carefully. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate and look for personal information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

If you do find suspicious activity on your credit reports, call local law enforcement and file a report of identity theft. [Or, if appropriate, give contact number for law enforcement agency investigating the incident for you.] Get a copy of the police report. You may need to give copies to creditors to clear up your records.

Even if you do not find any signs of fraud on your reports, we recommend that you check your credit reports at least every three months for at least the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place.

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at _________________ [or the Federal Trade Commission at __________________]. If there is anything [name of your organization] can do to assist you, please call [toll free (if possible) phone number].

[Closing]

SAMPLE LETTER 3

Data Acquired: Social Security Number

Dear

We are writing to you because of a recent security incident at [name of organization]. [Describe what happened in general terms, what kind of personal information was involved, and what you are doing in response, including acts to protect further unauthorized access.]

To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at a number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each.

Experian Equifax TransUnion
888-397-3742 888-766-0008 800-680-7289

When you receive your credit reports, look them over carefully. Look for accounts you did not open. Look for inquiries from creditors that you did not initiate and look for personal information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

If you do find suspicious activity on your credit reports, call local law enforcement and file a police report of identity theft. [Or, if appropriate, give contact number fur law enforcement agency investigating the incident, for you.] Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records.

Even if you do not find any signs of fraud on your reports, we recommend that you check your credit reports at least every three months for at least the next year. Just call one of the numbers above to order your reports and keep the fraud alert in place.

For more information on identity theft, we suggest that you visit the Web site of the Hawai’i Department of Commerce and Consumer Affairs at ____________ [or the Federal Trade Commission at ______________]. If there is anything [name of your organization] can do to assist you, please call [toll-free (if possible) phone number].

[Closing]