STAND. COM. REP. NO. 413

Honolulu, Hawaii

RE:    S.B. No. 1162

       S.D. 1

Honorable Shan S. Tsutsui

President of the Senate

Twenty-Sixth State Legislature

Regular Session of 2011

State of Hawaii

Sir:

     Your Committees on Economic Development and Technology and Judiciary and Labor, to which was referred S.B. No. 1162 entitled:

"A BILL FOR AN ACT RELATING TO SECURITY BREACHES OF PERSONAL INFORMATION,"

beg leave to report as follows:

     The purpose and intent of this measure is to strengthen the safeguards for security breaches of personal information held by government agencies, by:

     (1)  Requiring government agencies to develop mandatory training programs for designated agency personnel;

     (2)  In the event of a government security breach, requiring the government agency to be responsible for the cost of credit report or credit monitoring services for two years following the discovery of the security breach;

     (3)  Requiring reports of security breaches to be submitted to the Information Privacy and Security Council;

     (4)  Requiring the Council to coordinate implementation of guidelines by government agencies, and making the Comptroller or state Chief Information Officer Chair of the Council;

     (5)  Authorizing the Information and Communication Services Division of the Department of Accounting and General Services to provide training; and

     (6)  Appropriating unspecified funds for the Council.

Your Committees received testimony in opposition to this measure from two individuals.  Your Committees received comments on this measure from the Department of Accounting and General Services, Department of Human Resources of the City and County of Honolulu, University of Hawaii Professional Assembly, and Grande Law Offices.

     Your Committees find that in 2008, the Legislature approved several measures to provide greater protection to consumers from security breaches of personal information.  Since that time, the Legislature, government agencies, and the private sector have continued a proactive approach to information security.  This measure is one of several before the Legislature in the Regular Session of 2011, and your Committees have reviewed this measure as complementary to S.B. No. 796, which was also heard by your Committees.

     Your Committees further find that the concerns regarding this measure have been primarily focused on insufficient funding for implementation of the provisions in this measure, specifically the free credit report or credit monitoring and the lack of resources for personnel and security tools.

     Your Committees have removed the free credit report or credit monitoring provision from this measure and incorporated a comparable protection in S.B. No. 796, S.D. 1, by amending section 489P, Hawaii Revised Statutes, to add the requirement that credit bureaus shall offer free credit freeze services to victims of data breaches by the private or public sector.

     Your Committees have also reviewed the funding concerns raised by the Department of Accounting and General Services.  The Department testified that establishing an effective cyber security team would require approximately $350,000 annually for personnel, and $875,000 for the first year and $170,000 thereafter for security tools, maintenance, and licenses.

     Your Committees are in support of the expanded information security provisions in S.B. No. 796, S.D. 1, and in this measure.

     Your Committees have amended this measure accordingly, by:

     (1)  Deleting the proposed requirement for the government agency to be responsible for the cost of credit report or credit monitoring services for two years following the discovery of the security breach;

     (2)  Adding two unspecified appropriations for specialist and coordinator positions in statewide network security, application scanning, security incident, and training; and for security tools, maintenance, and licenses, including software and enhanced web applications; and

     (3)  Making technical, nonsubstantive amendments for the purposes of clarity and consistency.

     As affirmed by the records of votes of the members of your Committees on Economic Development and Technology and Judiciary and Labor that are attached to this report, your Committees are in accord with the intent and purpose of S.B. No. 1162, as amended herein, and recommend that it pass Second Reading in the form attached hereto as S.B. No. 1162, S.D. 1, and be referred to the Committee on Ways and Means.

Respectfully submitted on behalf of the members of the Committees on Economic Development and Technology and Judiciary and Labor,