Report Title:

City and County; Appropriation; Data Encryption System

 

Description:

Appropriates funds to the city and county of Honolulu for the development of a data encryption system.  (SD1)

 


HOUSE OF REPRESENTATIVES

H.B. NO.

2712

TWENTY-FOURTH LEGISLATURE, 2008

H.D. 1

STATE OF HAWAII

S.D. 1

 

 

 

 

 

A BILL FOR AN ACT


 

 

MAKING AN APPROPRIATION TO THE CITY AND COUNTY OF HONOLULU.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  (a)  In 2006, the legislature passed and Governor Linda Lingle signed into law several bills to provide increased protection to Hawaii residents from identity theft.  Several of these laws directly impact Hawaii businesses.  First, Act 135, Session Laws of Hawaii 2006, relating to protection from security breaches, requires businesses and government agencies that keep confidential personal information about consumers to notify those consumers if that information has been compromised by an unauthorized disclosure.  Second, Act 136, Session Laws of Hawaii 2006, relating to destruction of personal information records, requires businesses and government agencies to take reasonable measures to protect against unauthorized access to an individual's personal information when disposing of the records they keep.  Finally, Act 137, Session Laws of Hawaii 2006, relating to social security number protection, restricts businesses and government agencies from disclosing consumers' social security numbers to the general public.  All of these acts share the common goal of protecting individuals from exposure to identity theft through the imposition of limitations and restrictions on the use and disclosure of personal information.

     The legislature finds that pursuant to these acts, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

     (1)  Social security number;

     (2)  Driver's license number or Hawaii identification card number; or

     (3)  Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

     Furthermore, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.  Since "personal information" is specifically defined, records containing that information must be protected.

     Furthermore, "records" means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.  This broad definition includes data appearing on paper and in computers, including hard drives and computer disks.

     Consequently, if a business is in possession of "personal information" contained in records that it maintains, the business must properly dispose of the records.  Furthermore, a business may satisfy this mandate by exercising "due diligence" and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of record destruction.

     Additionally, since a breach of the destruction provisions may also invoke the provisions of the security breach notification provisions of Act 135, an affected business must refer to that Act to determine whether additional action is required.

     (b)  The legislature further finds that the purpose of Act 137 is to minimize the abuses associated with the fraudulent use of a social security number by attempting to restrict its use as an identifier.  To provide businesses and government agencies time to comply with the law, Act 137 is scheduled to take effect on July 1, 2008.  Pursuant to Act 137, a business shall not:

     (1)  Intentionally communicate or otherwise make available to the general public an individual's entire social security number;

     (2)  Intentionally print or imbed an individual's entire social security number on any card required for the individual to access products or services provided by the person or entity;

     (3)  Require an individual to transmit the individual's entire social security number over the Internet, unless the connection is secure or the social security number is encrypted;

     (4)  Require an individual to use the individual's entire social security number to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website; or

     (5)  Print an individual's entire social security number on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.

     (c)  On the other hand, Act 137 recognizes several permissible uses of social security numbers, such as:

     (1)  Inclusion of a social security number in documents that are mailed and:

         (A)  The documents are specifically requested by the individual identified by the social security number;

         (B)  Social security numbers are required by state or federal law to be on the document;

         (C)  Social security numbers are required as part of an application or enrollment process;

         (D)  Social security numbers are used to establish, amend, or terminate an account, contract, or policy; or

         (E)  Social security numbers are used to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to the Fair Credit Reporting Act, as set forth in 15 U.S.C. Section 1681(b);

     (2)  Use of a social security number in the opening of an account or the provision of or payment for a product or service authorized by an individual;

     (3)  Collection, use, or release of a social security number to investigate or prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Report Act (15 United States Code Sections 1681 to 1681x, as amended), undertake a permissible purpose enumerated under the federal Gramm Leach Bliley Act (15 United States Code Sections 6801 to 6809, as amended), locate an individual who is missing or due a benefit, such as a pension, insurance, or unclaimed property benefit, or locate a lost relative;

     (4)  Use of a social security number by a business or government agency acting pursuant to a court order, warrant, subpoena, or when otherwise required by law;

     (5)  Provision of a social security number by a business or government agency to a federal, state, or local government entity, including a law enforcement agency or court, or their agents or assigns;

     (6)  Collection, use, or release of a social security number in the course of administering a claim, benefit, or procedure relating to an individual's employment, including an individual's termination from employment, retirement from employment, injuries suffered during the course of employment, and other related claims, benefits, or procedures;

     (7)  Collection, use, or release of a social security number required by state or federal law;

     (8)  The sharing of a social security number between or among business affiliates;

     (9)  Use of a social security number for internal verification or administrative purposes;

    (10)  Redaction of the social security number; or

    (11)  Inclusion of the social security number in documents or records that are recorded or required to be open to the public pursuant to the constitution or laws of the State or court rule or order.

     The legislature also finds that notwithstanding the foregoing exceptions recognized under Act 137, a social security number that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or may not be visible either on the envelope or without the envelope having been opened.

     The legislature finds that the city and county of Honolulu runs the computer systems to support statewide systems relating to driver's licensing, motor vehicle registration, voter registration, the juvenile justice system, and various other support systems.

     The purpose of this Act is to appropriate funds to the city and county of Honolulu to enable the city and county to secure the data identified in Acts 135 and 136, Session Laws of Hawaii 2006, and Act 137, Session Laws of Hawaii 2006, as amended by Act 183, Session Laws of Hawaii 2007.

     SECTION 2.  There is appropriated out of the general revenues of the State of Hawaii the sum of $1 or so much thereof as may be necessary for fiscal year 2008-2009 for a grant-in-aid to the city and county of Honolulu for the development of a data encryption system for the city and county of Honolulu; provided that:

     (1)  The funds shall be used to procure hardware, software, and the design of the system;

     (2)  The city and county of Honolulu shall provide staffing, facilities, and related infrastructure to encrypt the data for all city and county of Honolulu systems; and

     (3)  The department of information technology, of the city and county of Honolulu, shall work with the department of accounting and general services to establish necessary rules to ensure ongoing support.

     The sum appropriated shall be expended by the city and county of Honolulu for the purposes of this Act.

     SECTION 3.  This Act shall take effect on July 1, 2008.