Business Owners Beware: New Legislation Requires Business Owners to Help Protect Against Identity Theft
According to the Federal Trade Commission, cases of identity theft rose nearly 265% from 2001 through 2005. Statistics additionally show that Hawaii is ranked 25th in the nation for identity theft and 13th in the nation for fraud complaints. Confronted with these ever-increasing concerns, in May 2006, Governor Lingle signed several new bills into law which aim to increase protection for Hawaii residents from identity theft; some of these laws will have a direct impact on Hawaii businesses. Two of these laws, Act 135 “Notification of Security Breaches” and Act 136 “Destruction of Personal Information” went into effect on January 1, 2007.
Act 135
Act 135, codified at Haw. Rev. Stat. § 487N-2, requires government agencies and businesses located in or conducting business in Hawaii who own or license personal information about Hawaii residents to notify any affected persons whose “personal information” has been compromised by any unauthorized disclosures. If the business or agency does not own or license the personal information, it must notify the owner or licensee of the information immediately following discovery of the breach. Accordingly, the business or government agency must determine first whether “personal information” is involved and second, whether a “security breach” has occurred.
For purposes of the Act, “personal information” basically means a person’s first name or first initial and last name, along with any one of the following unencrypted items: social security number, driver’s license number, Hawaii ID card number, or any account numbers, credit or debit card numbers, access codes or passwords which would allow access to an individual’s financial accounts. For purposes of the Act, information which is made publicly available from federal, state, or local records is generally not considered personal information.
If the information involved meets the criteria set forth above, then the business or government agency must determine whether a “security breach” has occurred. In short, this involves a determination of whether there has been an unauthorized acquisition of “personal information” and whether an illegal use of the information has occurred or is reasonably likely to occur. Once a business determines that an individual’s personal information has been compromised by a security breach, it must take the appropriate steps outlined in the Act to notify the individual involved without unreasonable delay. In the case of businesses who do not own or license the personal information, notification must be made immediately to the owner or licensee of such information.
Act 136
As one of the companion laws to Act 135, Act 136, codified as Haw. Rev. Stat. §487R-2, provides that businesses and government agencies must take “reasonable measures” to protect against unauthorized access to an individuals’ personal information contained in a business’s or government agency’s records during or after the disposal of said records. This is due, in part, to the fact that business and government records have been one of the greatest sources of personal information for thieves in recent years.
The “reasonable measures” which must be taken include: (1) implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that the information cannot practicably be read or reconstructed; (2) implementing and monitoring compliance with procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that said information cannot practicably be read or reconstructed; and (3) describing the procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.
However, a business may satisfy this obligation by entering into a written contract with an outside party in the business of record destruction to destroy such “personal information.” Nevertheless, businesses who hire outside parties to perform this service must still exercise “due diligence” in selecting a disposal business. For purposes of the Act, “due diligence” may include one or more of the following: (1) reviewing independent audits of the disposal business’s operations or its compliance with Act 136 or its equivalent; (2) obtaining information about the disposal business from several references or other reliable sources and requiring that the business be certified by a recognizable trade association or similar third party with a reputation for high standards of quality review; or (3) reviewing and evaluating the disposal business’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.
Consequences of Non-Compliance
Business which violate any provision of Act 135 or 136 are subject to State penalties and will be fined not more than $2,500 for each violation. These businesses may also be liable to the injured party for any actual damages sustained as a result of the theft. As such, businesses must take care to comply with the provisions of the above-summarized laws, as well as any and all other laws which are aimed to regulate identity theft. Businesses with specific questions about the implications of identity theft legislation should contact legal counsel, as the above is just intended as a brief overview and summary of some of the new legislation which has been passed.
