As used in this article:
"Authorized individual" means an individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems.
"Commissioner" means the insurance commissioner of the State.
"Consumer" means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control.
"Cybersecurity event" means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on that information system. "Cybersecurity event" does not include:
(1) The unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; and
(2) An event in which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
(1) Knowledge factors, such as a password;
(2) Possession factors, such as a token or text message on a mobile phone; or
(3) Inherence factors, such as a biometric characteristic.
(1) Any information concerning a consumer that, because of name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with any one or more of the following data elements:
(A) Social security number;
(B) Driver's license number or non-driver identification card number;
(C) Financial account number or credit or debit card number;
(D) Any security code, access code, or password that would permit access to a consumer's financial account; or
(E) Biometric records; or
(2) Any information or data subject to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that identifies a particular consumer and that relates to:
(A) The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family;
(B) The provision of health care to any consumer; or
(C) Payment for the provision of health care to any consumer.
(1) That the information is of the type that is available to the general public; and
(2) Whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.
"Risk assessment" means the risk assessment that each licensee is required to conduct under section 431:3B-202.
"State" means the State of Hawaii.
"Third-party service provider" means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
HRS § 431:3B-101