A BILL FOR AN ACT

relating to information privacy.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

security OF LOT DEVICES

     §   ‑1  Short title.  This chapter may be cited as the Security of LoT Devices Act.

     §   ‑2  Definitions.  As used in this chapter, unless the context clearly requires otherwise:

     "Consensus standards" means any standard promulgated by a nationally or industry recognized standard development organization.

     "LoT device" means a device that:

     (1)  Has at least one tranducer (sensor or actuator) interacting directly with the physical world, has at least one network interface, and is not conventional information technology devices, such as smartphones and laptops, which the identification and implementation of cybersecurity is already well understood; and

     (2)  Can function on its own and not only able to function when acting as a component of another device, such as a processor.

     "Manufacturer" means the person who manufactures, imports, or contracts with another person to manufacture on the person's behalf, loT devices that are sold or offered for sale in the State.

     "Reasonable security feature" means a security feature that is commensurate with the risk created by the product's level of connectivity and accounting for the cost of the product, the cost to maintain the product, and the value of the product's service to the user.

     "Security feature" means a feature of a product designed to provide access security for that product.

     §   ‑3  Security features of loT devices.  A manufacturer shall equip the loT device with a reasonable security feature, appropriate to the nature and function of the loT device and the information it collects, contains, or transmits, designed to protect the loT device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.  Compliance with this section shall include but not be limited to equipping a loT device with a means to protect the loT device consistent with one or more of the following:

     (1)  A consensus standard that addresses commonly known or reasonably foreseeable vulnerabilities where the consensus standard is effective on the date of manufacture of the loT device; provided that if the consensus standard is amended, the loT device shall be deemed to be equipped with a reasonable security feature when the loT device conforms to the previous version of the consensus standard and was manufactured within one year of the effective date of the amended consensus standard;

     (2)  A security rating from a certifying body with a recognized expertise in security or connected or loT technologies;

     (3)  Design features that are based on widely recognized guidelines; or

     (4)  Standards and guideline promulgated by the National Institute of Standards & Technology under the Cybersecurity Improvement Act of 2020.

     §   ‑4  Limitations on duties.  (a)  This chapter shall not be construed to impose any duty:

     (1)  Upon the manufacturer related to unaffiliated third-party software or applications that a user chooses to add to or use to interface with a loT device; or

     (2)  Upon the manufacturer with respect to software patches, updates, or downloads.

     (b)  This chapter shall not be construed to impose any duty upon the manufacturer to prevent a user from having full control over a loT device, including the ability to modify the software or firmware running on the product at the user's discretion.

     (c)  This chapter shall not apply to any loT devices whose functionality is subject to security provisions under federal or state law, regulations, or standard or guidance.

     (d)  This chapter shall not apply to any product for which consumer registration of a loT device is made available by the manufacturer and the consumer fails to register the loT device with the manufacturer.

     (e)  This chapter shall not be construed to provide a basis for a private right of action or to be used as the basis for a standard of conduct under any other private right of action under the statutory or common law of this or any other state.  This chapter may be used as a basis for establishing an appropriate standard of conduct as the basis for any affirmative defense otherwise available under statutory or common law.  The attorney general shall have the exclusive authority to enforce this chapter.  The duties and obligations imposed by this chapter are cumulative with any other duties or obligation imposed under any other law and shall not be construed to relieve any party from any duties or obligations imposed under any other law.

     (f)  Any penalties imposed under this chapter shall not exceed $500,000 in the aggregate of all violations of this chapter by a manufacturer and shall be mitigated by taking into account good faith efforts to comply with this chapter, voluntary action to remedy any noncompliance, including through software updates, the actual harm or risk to consumers, the cost of the product, the cost to maintain the product, the value of the product's services to the user, and other relevant factors.  Any injunctive action shall by prospective and apply only to future products.

     (g)  Any voluntary action to remedy noncompliance with this chapter shall be evaluated for reasonableness taking into account the risk created by the product's level of connectivity and accounting for the cost of the product, the cost to maintain the product, and the value of the product's services to the user.

     (h)  This chapter shall not be construed to limit the authority of a law enforcement agency to obtain loT device information from a manufacturer as otherwise authorized by law or pursuant to an order of a court of competent jurisdiction."

     SECTION 2.  This Act shall take effect upon its approval.

Report Title:

Cyber Security; Internet; LoT Devices; Security Features; Information Privacy

Description:

Requires manufacturers of loT devices to equip the devices with reasonable security features regarding information collected, unauthorized access, or the destruction or use of the devices.

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.