Representative Jon Riki Karamatsu (jonriki) wrote,
Representative Jon Riki Karamatsu

Final Reading Written Remarks for S.B. 2803,S.D. 1, H.D. 1, C.D. 1 Relating to Personal Information

Representative Jon Riki Karamatsu

Final Reading Written Remarks

Senate Bill 2803, Senate Draft 1, House Draft 1, Conference Draft 1

Relating to Personal Information (Identity Theft)

Tuesday, April 29, 2008


            I rise in support.


            The purpose of this bill is to protect the personal information collected and maintained by state and county agencies through the implementation of the recommendations of the "Hawaii Identity Theft Task Force Report" of December 2007.  I served on the task force, and through this bill we hope to reduce identity theft of personal information held by the state and county agencies.  The bill:


(1)  Requires each state and county agency designate an employee by September 1, 2009, to ensure the agency's compliance with requirements relating to the security of personal information;


(2)  Establishes the Information and Privacy Security Council to be placed administratively within the Department of the Accounting and General Services and authorizes the Comptroller to establish support positions.  By January 1, 2009, the council shall submit to the legislature a report of the council's assessment and recommendations on initiatives to mitigate the negative impacts of identity theft incidents on individuals.  No later than June 30, 2009, the council shall develop guidelines to be considered by government agencies in deciding whether, how, and when a government agency shall inform affected individuals of the loss, disclosure, or security breach of personal information that can contribute to identify theft.  The council shall review the individual annual reports submitted by government agencies, pursuant to section 487N-C, Hawaii Revised Statutes and submit a summary report to the legislature no later than twenty days prior to the convening of the regular session of 2010 and each year thereafter.  The summary report shall include the council's findings, significant trends, and recommendations to protect personal information used by government agencies.  The initial report to the legislature also shall include proposed legislation to amend section 487N-2, Hawaii revised Statutes or any other law that the council deems necessary to conform to the guidelines established.  No later than March 31, 2009, the council shall identify best practice relating to automated tools, training, processes, and applicable standards.  No later than July 31, 2009, the best practice identified by the council shall be posted on each government agency's website in a manner that is readily accessible by employees of the government agency;


(3)  Makes effective January 1, 2009, any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency's previous annual report.  The annual report shall be submitted no later than September 30 of each year;

(4)  Requires that by
December 31, 2008, the information privacy and security council established under section 487N-A, Hawaii Revised Statutes, in consultation with the information and communication services division of the Department of Accounting and General Services, and the information technology divisions of the respective counties, shall develop recommended practices and procedures to provide guidance to information technology managers in all government agencies relating to the security of laptops, removable data storage devices, and communication devices used to remotely access applications installed on state or county networks.  The council shall include recommendations on best practices and standards for protecting personal information that may be used with, stored on, or transmitted by the foregoing devices;


(5)  Makes effective September 1, 2008, any government agency that contracts with third parties to provide support services on behalf of the agency that requires access to personal information; or is requested to provide access to social security numbers and other personal information by a credit bureau or similar financial reporting organization,

shall include, in all new or renewed contracts, provisions to protect the use and disclosure of personal information administered by the agency;


(6)  Mandates that no later than September 1, 2008, all government agencies that collect, maintain, or disseminate documents containing personal information that are subject to disclosure pursuant to section 92F-12, Hawaii Revised Statutes, shall develop and implement a plan to protect and redact personal information, specifically social security numbers, contained in any existing hardcopy documents prior to making the documents available for public inspection.  Consumer reporting agencies, as defined by 15 U.S.C. section 1681a(f), which operate under 15 U.S.C. section 1681 et seq., shall continue to have access to personal information, including the nine digit social security numbers as the legislature finds that such access is necessary for criminal background checks, credit reporting for financial transactions and other similar purposes.  Agency plans shall be consistent with these purposes;


(7)  Requires that no later than December 1, 2008, all government agencies that collect, maintain, or disseminate documents containing personal information that are subject to disclosure pursuant to section 92F-12, Hawaii Revised Statutes, shall develop a written plan to eliminate the unnecessary collection and use of social security numbers;


(8)  Establishes that no later than January 1, 2010, the lead state and county government agencies that have primary responsibility for human resource functions shall develop and distribute to the appropriate government agencies written guidelines detailing recommended practices to minimize unauthorized access to personal information and personal information systems relating to personnel recruitment, background checks, testing, employee retirement and health benefits, time reporting and payroll issues;


(9)  Mandates that no later than September 1, 2009, all government agencies shall develop a written agency policy relating to notification of any security breach of personal information; and


(10)  Establishes no later than July 1, 2008, within the office of the auditor, the identity theft task force working group, to provide continuity from the work of the identity theft task force, established pursuant to Act 65, Session Laws of Hawaii 2005, as amended by Act 140, Session Laws of Hawaii 2006; and assist in the transition and development of recommendations and best practices related to personal information.  The working group shall include five members of the identity theft task force, the auditor, and the consultant retained by the auditor for the work of the identity theft task force.  The identity theft task force working group shall cease to exist on June 30, 2009.


            Thank you.


  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.