Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $2,500 for each violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Hawaii’s security breach law applies to personal information in any format (whether computerized, paper, or otherwise).
  • There are specific defined requirements for consumer notification.
  • When 1,000 or more consumers are notified, reporting is required to the State of Hawaii’s Office of Consumer Protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to regulator and consumer notification.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • In addition to monetary penalties for violations of security breach notification and reporting, the Attorney General or the Executive Director of the Office of Consumer Protection may bring an action, and a business in violation may be liable for actual damages suffered by a consumer.
  • Organizations conducting business in HI must take reasonable measures to protect against unauthorized access to or use of the personal information in connection with or after its disposal.
  • Vendors in the business of destroying records must have policies and procedures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • Vendors in the business of destroying records must have policies and procedures in place for the protection of personal information during and after collection, transportation and destruction.
  • Organizations contracting with a data disposal Vendor must monitor and exercise due diligence ensuring the required policies and procedures are in place for the destruction of records, review an independent audit, obtain reliable professional references, require trade association certification.
  • Organizations may be fined or penalized for Vendor violations.
  • Organizations may be subject to penalties up to $2,500 for each violation.
Statutes and Laws
  • Haw. Rev. Stat. § 487D Retail Merchant Club Cards
  • Haw. Rev. Stat. § 487J Personal information protection requirements
  • Haw. Rev. Stat. § 487N Security Breach of Personal Information
  • Haw. Rev. Stat. § 487R Destruction of Personal Information Records
  • Haw. Rev. Stat. § 323B Health Care Privacy Harmonization Act
  • H.A.R. § 8-34 Protection of Education Rights and Privacy of Students and Parents 
  • H.A.R. § 16-54 Personal Records
BAck to map