Protecting Confidential Client Information

by Sheryll Bonilla, Esq.

Hawaii law (H.R.S. 487R-2) governs any company that conducts business in Hawaii or that maintains or possesses personal information about Hawaii residents.

It requires companies to “take reasonable measures to protect against the unauthorized access to or use of the information in connection with or after its disposal.”

Personal, confidential information means the name and any identifying information that can affect their financial interests.

Businesses are required to properly dispose of and destroy the information in a secure way after use. Companies are required to have written policies and take reasonable measures.This includes destruction or erasure of electronic and non-paper media, and burning, pulverizing, shredding, or other secure destruction of papers containing personal information.

After a company has discovered or been notified of a security breach the statute (H.R.S. 487N-2) requires that the company to give notice to people affected.

The disclosure must be given promptly, consistent with the needs of law enforcement and with any measures necessary to determine sufficient contact information and the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the data system.

Do you store or receive confidential client information or do business over your laptop, phone, tablet, or other portable device? If you lose your electronic device, or it is stolen or hacked, that might trigger your duty to notify those affected by this security breach that their information could be compromised.

Protect against security breaches. Use a password so that the device can’t be used without your password. Have “remote kill” ability so that you or your service provider can shut off your device without knowing where it is. Use other security methods.

There’s further protection required for social security numbers (H.R.S. 487]-2). Businesses are prohibited from:

1. intentionally communicating or making available to the general public an individual’s entire social security number;

2. requiring an individual to transmit the entire SSN over the internet unless the connection is secure, or the SSN is encrypted; or

3. printing an individual’s entire SSN on any materials mailed to the individual, unless the materials are employer-to-employee communications, or it is specifically requested by the individual.

Businesses that violate this are liable to the injured party and are also subject to penalties of $500 – $1500 per violation (H.R.S.487]-3).

This article is for informational purposes only and is not to be constructed as offering legal advice. Please consult an attorney for your individual situation. The author is not responsible for a reader’s reliance on the information contained here.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.