STAND. COM. REP. NO. 2794

 

Honolulu, Hawaii

                   

 

RE:     S.B. No. 3016

        S.D. 1

 

 

 

Honorable Ronald D. Kouchi

President of the Senate

Thirty-Third State Legislature

Regular Session of 2026

State of Hawaii

 

Sir:

 

     Your Committee on Commerce and Consumer Protection, to which was referred S.B. No. 3016 entitled:

 

"A BILL FOR AN ACT RELATING TO PRIVACY,"

 

begs leave to report as follows:

 

     The purpose and intent of this measure is to:

 

     (1)  Add definitions of "identifier" and "specified data element" and amend the definition of "personal information" for the purposes of notifying affected persons of data and security breaches under existing state law that governs the security breach of personal information; and

 

     (2)  Include licensees subject to the Insurance Data Security Law among the businesses deemed compliant with security breach notice requirements under existing state law.

 

     Your Committee received testimony in support of this measure from the Office of Consumer Protection of the Department of Commerce and Consumer Affairs and two individuals.

 

     Your Committee received testimony in opposition to this measure from the Consumer Data Industry Association.

 

     Your Committee received comments on this measure from the Insurance Division of the Department of Commerce and Consumer Affairs, Hawaiian Telcom, Hawaii Bankers Association, and State Privacy and Security Coalition.

 

     Your Committee finds that the effectiveness of existing data breach notification laws are limited by the current definition of "personal information".  This measure would update the definition of "personal information" to reflect the digital era and ensure data breach notification requirements cover appropriate information to better protect the privacy of residents of the State.

 

     Your Committee acknowledges the concerns raised in testimony that including licensees subject to the Insurance Data Security Law among the businesses deemed compliant with security breach notification requirements may inadvertently exempt insurance licensees from notification requirements.  Your Committee also acknowledges the concerns raised in testimony that the measure, in its current form, may create duplicative or conflicting requirements for telecommunications carriers already regulated under federal law.

 

     Accordingly, your Committee has amended this measure by:

 

     (1)  Deleting language that would have deemed any licensee subject to the Insurance Data Security Law, chapter 431, article 3B, Hawaii Revised Statutes, compliant with data breach notification requirements;

 

     (2)  Inserting language that deems any telecommunications carrier subject to and in compliance with certain federal provisions compliant with data breach notification requirements under state law; and

 

     (3)  Inserting an effective date of July 1, 2050, to encourage further discussion.

 

     As affirmed by the record of votes of the members of your Committee on Commerce and Consumer Protection that is attached to this report, your Committee is in accord with the intent and purpose of S.B. No. 3016, as amended herein, and recommends that it pass Second Reading in the form attached hereto as S.B. No. 3016, S.D. 1, and be placed on the calendar for Third Reading.

 

Respectfully submitted on behalf of the members of the Committee on Commerce and Consumer Protection,

 

		________________________________ JARRETT KEOHOKALOLE, Chair