Hawaii Data Breach Bill Clears Senate Committee
The Hawaii Senate Commerce Committee cleared a proposed update to the state’s data breach notification law by a 3-0 vote Wednesday.
Sign up for a free preview to unlock the rest of this article
SB-1038 is “good bill that would make consumers aware when their non-public private information has been subject to unauthorized access,” testified Mana Moriarty, Hawaii Office of Consumer Protection executive director.
It would add definitions of "identifier" and "specified data element" and amend the definition of "personal information" for notifying affected persons of data and security breaches under the state’s existing data breach law.
The bill was opposed by multiple industry groups, including TechNet, the Consumer Data Industry Association and the State Privacy and Security Coalition. Hawaii Financial Services Association counsel Marvin Dang disagreed with the bill setting an “outlier” standard for redacting social security numbers. Typically, companies are allowed to leave the last four digits visible, but SB-1038 would reduce that to three, he said.
But bill sponsor Sen. Chris Lee (D) said the four-digit standard isn’t secure enough for Hawaii due to its lower population. If a bad actor knows the last four digits and that the person lives in Hawaii, it won’t take long to guess the rest of the SSN, he said. SSNs for Hawaii residents “can be easily guessed at with the inclusion of just the last four digits,” agreed Moriarty.
Hawaii lawmakers have been discussing a bill like SB-1038 for years, said Lee. In the meantime, he said, scams targeting seniors and other Hawaiians have continued.