HI SB796

Requires businesses maintaining personal information about Hawaii residents to implement a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the business's size and complexity.

Exempts financial institutions subject to federal Interagency Guidelines Establishing Information Security Standards (12 C.F.R. Part 748, Appendix A) from the information security program requirement.

Expands the definition of "security breach" to include inadvertent unauthorized disclosure of unencrypted personal information and clarifies that encrypted data breaches require both the encrypted records and confidential process or key.

Requires security breach notification letters to include toll-free contact numbers and addresses for major credit reporting agencies and information on how to place fraud alerts or security freezes.

Makes security breach victims exempt from fees when placing, lifting, or removing security freezes on credit reports with consumer credit reporting agencies, while other consumers may be charged up to $5 per request.