Identity (ID) Theft Protection Laws in Hawaii
New
Hawaii Identity Theft Protection Laws relating to the responsibilities and
liabilities of businesses that handle confidential personal information.
Introduction
by Welmon “Rusty” Walker,
Jr., MBA, CITRMS
Founder of the Nationwide "We Fight ID Theft" Program
Identity
theft is the fastest growing crime committed in
The
stolen information is used to open new credit card accounts, raid bank and checking
accounts, write bad checks in new accounts, buy cars, houses and commit other
related crimes using other people's identities. The fast growing crime of
raiding personal medical accounts is pervasive and devastating to our elderly.
This has resulted in billions of dollars in losses for business and consumers.
Last year alone, businesses and financial institutions reported losses in
excess of fifty billion dollars. Many researchers feel that 70% or more of
these theft cases are not reported to authorities.
There are five (5) Types of Identity
Theft:
1. Department of
Motor Vehicle (DMV), using your ID to gain a driver’s license (the most used form of ID in America) in yours or another state. "Honolulu police say they hope that plans to revamp Hawaii driver's licenses will cut down on the high number of fake licenses used in forgery and identity theft cases." See http://starbulletin.com/2004/08/24/news/story1.html
2. Social
Security Number, using your identity to work and avoid obligations like
immigration, taxes and child support. See http://www.msnbc.msn.com/id/6814673
3. Medical
Information Bureau (M.I.B.) using your ID (medical coverage number) to have
sensitive medical tests and operations. See http://www.rd.com/content/openContent.do?contentId=30232
4. Character
Identity, giving your personal information with a fake ID when arrested,
detained or questioned by the police. For years, a retired Coast Guard veteran has been repeatedly mistaken for a convicted felon, who once passed himself off as the veteran by presenting a fake driver's license. From then on, the disabled yeoman has faced serious legal issues. The thief remains at large. Therefore, each time a warrant is issued for his arrest, (there have been four) warnings go off at the Social Security Administration and our veteran receives word that his checks will stop because wanted felons aren't eligible. At one point the 49-year-old father was jailed when authorities confused him with his ID theft doppelganger. See http://seattlepi.nwsource.com/local/308306_stolenid21.html
5. Credit and
Financial Identity, not just credit card fraud, but using your ID to
establish other credit accounts and never paying the bills. This is the only
area where a bad credit rating may slow a theft down. However, Children are now
a major target for ID Theft because their records are clean and unattended. See http://abcnews.go.com/WNT/story?id=598272
Once treated as an un-important victimless crime, ID theft has become the new mega
money producer for deadbeats, the underworld and terrorist. Now at the federal
level the prison term for aggravated (intentional) ID theft is 25 years; per Gramm, Leach, Bliley Act, HIPAA and others. However, just being tricked into helping an ID criminal carries a prison term of up to 20 years. A survey shows businesses know little about FACTA. Small business owners still need information and education. See http://www.fellowes.com/Fellowes/site/aboutus/about_releases_13.aspx
All
businesses in
Note: Hawaii Act 139 took effect on May 25, 2006. It establishes Criminal Penalties for just the "unauthorized possession of confidential personal information" as a Class C felony. Also, it adds identity theft as an enumerated offense within the repeat offender statute.
There is no relief. I repeat there is no relief for even the smallest business as it may be with other laws. Identity Theft is a serious criminal matter. Business must be prepared to protect themselves.
"We will act against businesses that fail to protect their customer data."
-- Betsy Broder, FTC, Division of Privacy and Identity Protection
"If data is stolen from your
business, you may wish they had taken the cash."
-- John Gardner, JD, CITRMS, National ID Theft Expert
Call 808-780-4269 or Email
The
remainder of this Web page is built with information from the Hawaii State Web
site for business with notes and links to enhance communication. Compliance
with these and other related laws need not be overbearing. Low cost systems and
changes in operations will reduce your risk and liability. ID Theft criminals
go where the pickings are easy. They look for companies with lax systems and
procedures.
W. Walker,
Jr & Associates, Ltd. * 808-780-4269 * idt@AskRustyWalker.com
* * * * * * *
Last
May, Hawaii's Governor Linda Lingle signed into law
several bills which will provide increased protection to Hawaii residents from
identity theft. Several of these bills will directly impact Hawaii businesses.
Act 135,
Notification of Security Breaches, will require businesses and government
agencies that keep confidential personal information about consumers to notify
those consumers if that information has been compromised by an unauthorized
disclosure.
Act 136,
Destruction of Personal Information, will require businesses and government
agencies to take reasonable measures to protect against unauthorized access to
an individual's personal information when disposing of the records they keep.
Act 137,
Social Security Number Protection, will restrict businesses and government
agencies from disclosing consumers' Social Security numbers to the general
public. All of these bills share a common goal: to protect individuals from
exposure to identity theft by imposing limitations and restrictions on the use
and disclosure of personal information.
I. NOTIFICATION OF SECURITY BREACHES
Act 135
imposes new obligations on the part of Hawaii businesses to notify an
individual whenever the individual's personal information that is maintained by
the business has been compromised by unauthorized disclosure. The underlying
policy behind the Act is that prompt notification will help potential victims
to act against identity theft by initiating steps to monitor their credit
reputation. In this regard, it is extremely important that any business subject
to the Act's provisions undertake measures to fully comply with the law when it
becomes effective on January 1, 2007.
In
determining whether an affected business must act, there are several issues it
must address.
First,
it must determine whether "personal information" has been
compromised. "Personal information" means an individual's first name
or first initial and last name in combination with any one or more of the
following data elements, when either the name or the data elements are not
encrypted: social security number; driver's license number or Hawaii ID card
number; or account number, credit or debit card number, access code, or
password that would permit access to an individual's financial account. It does
not include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.
Second,
it must determine whether a "security breach" has occurred, as it is
defined in Act 135.
Pursuant
to the statutory definition, a "Security Breach" means an incident of
unauthorized access to and acquisition of unencrypted or unpredicted records or
data containing "personal information" where illegal use of the
personal information has occurred or is reasonably likely to occur and that
creates a risk of harm to a person. Any incident of unauthorized access to and
acquisition of encrypted records or data containing personal information along
with the confidential process or key constitutes a security breach.
In this
regard, if information has been compromised the first thing that an affected
business should do is determine whether the information constitutes
"personal information" under the Act.
If the information does not meet the statutory definition, the Act will
not impose any affirmative obligation on the affected business.
Consequently,
if records were stolen containing only an individual's name and address, the
Act would not impose a duty on a business to inform the affected individual
since the Act would not consider the data "personal information." If,
however, in addition to the name and address, social security numbers and or
financial account identifying data were compromised, the Act would clearly
consider this information "personal information," and an obligation
would ensue.
It is
important to note, however, that even if a statutory obligation does not arise
under Act 135, other legal obligations may exist which will require that notice
be given in a particular instance.
For that
reason, anytime information has been breached it is important for a business to
consult with its own legal counsel to assist it with its statutory obligations.
[Note: The Federal Gramm-Leach-Bliley Act 15 USC,
Subchapter I, Sec. 6801-6809, Disclosure of Nonpublic Personal Information.]
Once it
has been established that personal information has been compromised, the
affected business next must determine whether a "security breach" has
occurred. In this analysis, it is
incumbent on the business to try to determine whether illegal use of the
personal information has occurred or is reasonably likely to occur and creates
a risk of harm to a person. Since in
many instances, this may be difficult to discern, it would be prudent for the
business to err on the side of caution and implement the necessary steps to
inform the affected individuals. If a
business has uncertainty regarding this legal standard, it should consult with
its own legal counsel.
Notification
Procedures
Once it
has been established that a security breach has occurred, and personal
information has been compromised, a business will have to initiate action to
inform the affected individuals. This
disclosure must be made without "unreasonable delay." The only exception would be if a law enforcement
agency informs the business in writing that notification may impede a criminal
investigation or jeopardize national security. Once it has been determined that
the notice will no longer impede the investigation, the notice must be promptly
provided. [See http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.htm]
Form of
the Notice
The
actual notice of the breach must be "clear and conspicuous" and
include a description of: The incident in general terms; The type of personal
information that was subject to the unauthorized access and acquisition.
The
general acts of the business to protect the personal information from further
unauthorized access. A telephone number that the person my call for further
information and assistance, if one exists. Add advice that directs the person
to remain vigilant by reviewing account statements and monitoring the No-cost
annual credit reports mandated by federal law.
[Note the proper Web site to request the report(s) is exactly www.AnnualCreditReport.com. The
slightest misspelling may send one to a bogus and costly Web site that further
risks your identity. I recommend using the printed form http://www.ftc.gov/bcp/conline/include/requestformfinal.pdf
and mailing it to Annual Credit Report
Request Service P.O. Box 105281 Atlanta, GA 30348-5281.]
Methods
of Providing Notice
There
are various ways in which the business may provide notice. These include:
•
Written notice to the last available address the business has on record;
•
Electronic mail notice, for those persons for whom a business has a valid email
address and who have agreed to receive communications electronically;
•
Telephonic notice to the affected persons (the giving of such notice should be
documented in writing); and
•
Substitute notice, if the business can demonstrate that the cost of providing
notice would exceed $100,000 or that the affected class of subject persons to
be notified exceeds two hundred thousand, or if the business does not have
sufficient contact information or is unable to identify particular affected
persons. In that case, substitute notice
shall consist of email notice if the agency has an email address, conspicuous
posting of the notice on the web page of the business and notification to major
statewide media. Consequently, in the event a security breach has occurred
involving 10,000 persons and the business only has contact information for
9,000, substitute notice would be permissible for the remaining 1000 persons.
[It is a
good idea to also give a printed copy of the FTC publication Take
Charge: Fighting Back Against Identity Theft (formerly: "ID Theft: When
Bad Things Happen to Your Good Name") with any notice. Here is the
online edition http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm.
Plus, other organizations have given free credit monitoring for a year to victims of a personal information breach. This reduces a persons’ worry, improves PR for the origination and reduces the liability for damages.]
II.
DESTRUCTION OF PERSONAL INFORMATION RECORDS
Business
and government agency records are a leading source of personal information for
identity thieves. Any entity that maintains personal information as part of its
business operations should establish security procedures to maintain the
confidentiality and integrity of that data. A critical element of any security
plan is the destruction of records containing personal information when they
are being discarded. Throughout the United States, there have been repeated
instances of businesses carelessly dumping boxes containing scores of
customers' personal information in dumpsters.
Act 136
imposes new obligations on the part of Hawaii businesses to properly dispose of
"personal information" contained in their records. In short, it requires businesses that have
"personal information" about individuals to destroy or shred that
information when they are discarding it. This is necessary to preserve the
confidentiality of our citizens' data.
This new law takes effect on January 1, 2007.
Pursuant
to Act 136, businesses must establish "reasonable measures" to
protect against the unauthorized access to that information in connection with
or after its disposal. These "reasonable measures" include:
Implementing and monitoring compliance with policies and procedures that
require the burning, pulverizing, recycling, or shredding of papers containing
personal information so that information cannot be practicably read or
reconstructed; Implementing and monitoring compliance with policies and
procedures that require the destruction or erasure of electronic media and
other non-paper media containing "personal information" so that the
information cannot practicably be read or reconstructed; and Describing
procedures relating to the adequate destruction or proper disposal of personal
records as official policy in the writings of the business.
A
business may satisfy its obligation on its own or by entering into a written
contract with another party engaged in the business of record destruction to
destroy "personal information". If the business contracts out the
service, it must still exercise "due diligence." Under Act 136,
"due diligence" ordinarily includes one or more of the following:
Getting
and reviewing an independent audit of the disposal business's operations or its
compliance with this statute or its equivalent. Obtaining information about the
disposal business from several references or other reliable sources and
requiring that the disposal business be certified by a recognized trade
association or similar third party with a reputation for high standards of
quality review; or Reviewing and evaluating the disposal business's information
security policies or procedures, or taking other appropriate measures to
determine the competency and integrity of the disposal business.
What
this means is that it would be inappropriate to contract with someone without
checking into their background. Contracting with a proven records destruction
business which meets the above criteria would probably be OK, but hiring two
guys with a truck with no experience in records destruction would not. Pursuant
to the Act, "personal information" means an individual's first name
or first initial and last name in combination with any one or more of the
following data elements, when either the name or the data elements are not
encrypted: Social security number; Driver's license number or Hawaii
identification card number; or Account number, credit or debit card number,
access code, or password that would permit access to an individual's financial
account. "Personal information" does not include publicly available
information that is lawfully made available to the general public from federal,
state, or local government records.
Note
that "personal information" is specifically defined. Records
containing that information must be protected. "Records" means any
material on which written, drawn, spoken, visual, or electromagnetic
information is recorded or preserved, regardless of physical form or
characteristics. This definition is
quite broad. It includes data appearing on paper and in computers, including
hard drives and computer disks. Consequently, if a business is in possession of
"personal information" contained in records, which it maintains, it
is incumbent on it to properly dispose of them.
As noted above, a business may satisfy this statutory obligation by
exercising "due diligence" and entering into a written contract with,
and thereafter monitoring compliance by, another party engaged in the business
of record destruction.
Additionally,
since a breach of the destruction provisions may also invoke the provisions of
the security breach notification provisions of Act 135 an affected business
must refer to that Act to determine whether additional action is required.
III.
SOCIAL SECURITY NUMBER PROTECTION
The
purpose of Act 137 is to minimize the abuses associated with the fraudulent use
of a social security number (SSN) by attempting to restrict its use as an
identifier. To provide businesses and
government agencies with time to comply with the law, the Act is scheduled to
take effect on July 1, 2007.
[Note:
Stop using the SS# as an identifier of any kind. Except were strictly required
by law. There is no need to ask for the SS# on an employment application.
Getting that type of information form someone you may never see (again), much
less hire is too risky. Yes, you need their SS# and OK to do a background and
credit check. However, you won’t do that check for every application you
receive. So why be responsible for a SS# that you don’t need or want? Are you
requesting other personal information on applications that you rarely use? Are
the finished applications easily accessible to anyone walking by a desk or
counter? Do you have a clean desk policy? Reducing risk requires new thinking
about how we are using and protecting the SS# and other “non-public” personal
information.]
Prohibited
Uses of Social Security Numbers
Pursuant
to the Act's provisions, unless otherwise authorized by law, a business cannot:
Intentionally communicate or otherwise make available to the general public an
individual's entire social security number. Intentionally print or imbed an
individual's entire social security number on any card required for the
individual to access products or services provided by the person or entity.
Require
an individual to transmit the individual's entire social security number over
the Internet, unless the connection is secure or the social security number is
encrypted.
Require
an individual to use the individual's entire social security number to access
an Internet website, unless a password or unique personal identification number
or other authentication device is also required to access the Internet website;
and Print an individual's entire social security number on any materials that
are mailed to the individual, unless the materials are employer-to-employee
communications, or where specifically requested by the individual.
Permissible
Uses of Social Security Numbers
Notwithstanding
the general prohibition on the use and dissemination of social security numbers
there are several important exclusions to the rule: Use of the social security
number in the following instances is permitted if the social security number is
included in documents that are mailed and: Are specifically requested by the
individual identified by the social security number; Required by state or
federal law to be on the document to be mailed; Required as part of an
application or enrollment process; Used to establish, amend, or terminate an
account, contract, or policy; or Used to confirm the accuracy of the social
security number for the purpose of obtaining a credit report pursuant to the
Fair Credit Reporting Act, as set forth, in 15 U.S.C. Section 1681(b).
The opening
of an account or the provision of or payment for a product or service
authorized by an individual; The collection, use, or release of a social
security number to investigate or prevent fraud; conduct background checks;
conduct social or scientific research; collect a debt; obtain a credit report
from or furnish data to a consumer reporting agency pursuant to the Fair Credit
Reporting Act, 15 U.S.C. Sections 1681 to 1681x, as amended; undertake a
permissible purpose enumerated under the federal Gramm
Leach Bliley Act, 15 U.S.C. Sections 6801 to 6809, as amended; locate an
individual who is missing or due a benefit, such as a pension, insurance, or
unclaimed property benefit; or locate a lost relative; A business or government
agency acting pursuant to a court order, warrant, subpoena, or when otherwise
required by law.
A
business or government agency providing the social security number to a
federal, state, or local government entity including a law enforcement agency
or court, or their agents or assigns. The collection, use, or release of a
social security number in the course of administering a claim, benefit, or
procedure relating to an individual's employment, including an individual's
termination from employment, retirement from employment, injuries suffered
during the course of employment, and other related claims, benefits, or
procedures; The collection, use, or release of a social security number as
required by state or federal law; The sharing of the social security number by
business affiliates; The use of a social security number for internal
verification or administrative purposes; A social security number that has been
redacted.
Documents
or records that are recorded or required to be open to the public pursuant to
the constitution or laws of the State or court rule or order. Notwithstanding
the foregoing exceptions, a social security number that is permitted to be
mailed may not be printed, in whole or in part, on a postcard or other mailer
not requiring an envelope, or visible on the envelope or without the envelope
having been opened.
IV.
Penalty Provisions
Any
business that violates any provision of Acts 135, 136, or 137 shall be subject
to penalties to the State of Hawaii of not more than $2,500 for each violation.
In addition, any business that violates any provision shall be liable to an
injured party in an amount equal to the sum of any actual damages sustained.
V. Disclaimer
This
document is only intended to provide a summary of Acts 135, 136, and 137. It
does not create or confer any rights or obligations on the part of any person,
business, or government agency nor does it supplant any statutory obligations
imposed by any other state or federal law. Any business or person with specific
questions regarding statutory interpretation should consult with their own
legal counsel.
[http://www.hawaii.gov/dcca/quicklinks/id_theft_info/laws/ID_Theft_Info_For_Businesses]
*
* * *
* * *
* *
Our
Certified Identity Theft Risk Management Specialist (CITRMS) will provide a low
or no cost Identity Theft Risk Assessment; with best practices procedure templates, check lists, computer
system and physical security recommendations plus our exclusive (Nonpublic Personal Information) NPI Security Coordinator Guidebook. Staff and employee training is included.
All is provided in keeping with government compliance recommendations and sound
business risk management practices. Then a review of your new procedures and systems by your legal counsel is recommended.
Welmon “Rusty” Walker,
Jr., MBA, CITRMS
W. Walker Jr. &
Associates, Ltd.
808-780-4269
info@WeFightIDTheft.com - www.WWalkerJr.com