Go to previous versions of this Section
2023 (you are here)
2022
2021
2020
2019
Other previous versions

2023 Hawaii Revised Statutes
Title 24. Insurance
431. Insurance Code
431:3B-101 Definitions.

Universal Citation: HI Rev Stat § 431:3B-101 (2023)
Previous Next

§431:3B-101 Definitions. As used in this article:

"Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.

"Commissioner" means the insurance commissioner of the State.

"Consumer" means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control.

"Cybersecurity event" means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on that information system. "Cybersecurity event" does not include:

(1) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; and

(2) An event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

"Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.

"Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized systems, such as industrial controls systems, process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

"Licensee" means every licensed insurer, producer, and any other person licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered, under chapter 431 or 432, or holding a certificate of authority under chapter 432D. "Licensee" does not include a purchasing group or risk retention group chartered and licensed in a state other than this State, or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

"Multi-factor authentication" means authentication through verification of at least two of the following types of authentication factors:

(1) Knowledge factors, such as a password;

(2) Possession factors, such as a token or text message on a mobile phone; or

(3) Inherence factors, such as a biometric characteristic.

"Nonpublic information" means electronic information that is not publicly available information and is:

(1) Any information concerning a consumer that, because of name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with any one or more of the following data elements:

(A) Social security number;

(B) Driver's license number or non-driver identification card number;

(C) Financial account number or credit or debit card number;

(D) Any security code, access code, or password that would permit access to a consumer's financial account; or

(E) Biometric records; or

(2) Any information or data subject to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that identifies a particular consumer and that relates to:

(A) The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family;

(B) The provision of health care to any consumer; or

(C) Payment for the provision of health care to any consumer.

"Person" means any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency, or association.

"Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. For purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:

(1) That the information is of the type that is available to the general public; and

(2) Whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.

"Risk assessment" means the risk assessment that each licensee is required to conduct under section 431:3B-202.

"State" means the State of Hawaii.

"Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee. [L 2021, c 112, pt of §2]

Previous Next
Disclaimer: These codes may not be the most recent version. Hawaii may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.