This article lists the specific elements that are required by Hawaii State Revised Statute HRS 487N to be included in any breach notification letter sent to individuals affected by the breach.

If it has been determined that a security breach has occurred, HRS 487N requires that all affected individuals be notified.  The actual notice of the breach must be "clear and conspicuous" and include a description of:
- The incident in general terms;
- The type of personal information that was subject to the unauthorized access and acquisition;
- The general acts of the business to protect the personal information from further unauthorized access;
- A telephone number that the person my call for further information and assistance, if one exists; and
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Notification can be made using any of the following methods:
- Written notice to the last available address the business or government agency has on record;
- Electronic mail notice, for those persons for whom a business or government agency has a valid electronic mail address and who have agreed to receive communications electronically;
- Telephonic notice, provided that contact is made directly with the affected persons;
- and/or substitute notice.

If the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds two hundred thousand, or if the business or if there isn't sufficient contact information, substitute notification is allowed.

A substitute notice shall consist of all the following:

- Electronic mail notice when the business or government agency has an electronic mail address for the subject persons;
- Conspicuous posting of the notice on the website page of the business or government agency, if one is maintained; and
- Notification to major statewide media.

Additionally, a written report must be submitted to the legislature within twenty days after discovery of a security breach at the government agency.

The written report must include the following information:

• the nature of the breach
• the number of individuals affected by the breach
• a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent
• whether the notice was delayed due to law enforcement considerations
• and any procedures that have been implemented to prevent the breach from reoccurring.

Please contact the Information Security Officer, Jodi Ito (jodi@hawaii.edu, or (808) 956-2400) for guidance or with any questions related to this article.

^
BACK TO TOP

Use of this site implies consent with our Usage Policy | The University of Hawai‘i is an Equal Opportunity Institution
© 2015 Information Technology Services | All Rights Reserved | University of Hawai‘i System