Hawaii Privacy Laws
Mandated Timeframe
Without unreasnable delay
Violations
Up to $2,500 per violation
REGULATION LEVELS
 Breach Reporting |
Consumer Notifications |
|---|---|
 Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
 Minimal |
Basic |
Comprehensive |
 Extensive |
|---|
Mandated Timeframe
Without unreasnable delay
Violations
Up to $2,500 per violation
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
Mandated Timeframe
Without unreasonable delay
Violations
Up to $2,500 per violationy
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
Hawaii Privacy Law Information
-
Definition of Personal Information
Hawaii’s security breach law applies to personal information in any format (whether computerized, paper or otherwise).
-
Privacy Program
Organizations conducting business in HI must take reasonable measures to protect against unauthorized access to or use of personal information in connection with or after its disposal. Organizations contracting with a data disposal Vendor must monitor and exercise due diligence ensuring the required policies and procedures are in place for the destruction of records, review an independent audit, obtain reliable professional references, require trade association certification.
-
Breach Reporting
When 1,000 or more consumers are notified, reporting is required to the State of Hawaii’s Office of Consumer Protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
-
Consumer Notification
There are specifically defined requirements for consumer notification. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
-
Vendor/Third Parties
Vendors in the business of destroying records must have policies and procedures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Vendors in the business of destroying records must have policies and procedures in place for the protection of personal information during and after collection, transportation, and destruction.
-
Industry Specific Laws
Hawaii passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
-
Fines & Penalties
In addition to the monetary penalties for violations of security breach notification and reporting, the Attorney General or the Executive Director of the Office of Consumer Protection may bring an action, and a business in violation may be liable for actual damages suffered by a consumer. Organizations may be fined or penalized for Vendor violations. Organizations may be subject to penalties up to $2,500 for each violation.
Hawaii