Hawaii Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Hawaii requires businesses and government agencies to notify residents when their personal information has been compromised in a data breach. The state's Security Breach of Personal Information law, codified at HRS Chapter 487N, was originally enacted in 2006 and has been updated to reflect modern data security concerns.

Hawaii's law stands out for two reasons. First, it covers both electronic and paper records, not just computerized data. Second, it provides affected individuals with a private right of action, allowing them to sue for actual damages and recover attorney's fees. These provisions make Hawaii's breach notification framework stronger than many other states.

This guide covers the notification requirements, timelines, penalties, and enforcement mechanisms under Hawaii law.

For broader context on Hawaii's overall privacy framework, see the parent guide to [Hawaii Data Privacy Laws](/us-laws/data-privacy-laws/hawaii-data-privacy-laws).

Who Must Comply

Hawaii's breach notification law applies to three categories of entities under HRS 487N-2:

Businesses that own or license personal information of Hawaii residents must notify affected individuals when a breach occurs.

Businesses that conduct business in Hawaii and own or license personal information in any form, whether computerized, paper, or otherwise, must also comply.

Government agencies that collect personal information for specific government purposes have the same notification obligations.

This broad applicability means that any business handling the personal information of Hawaii residents, regardless of where the business is located, must comply with the notification requirements.

What Qualifies as Personal Information

Under HRS 487N-1, "personal information" means an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit or debit card number, or access code or password that would allow access to a financial account
• Health insurance information, including policy or subscriber identification numbers combined with any unique identifier used by a health insurer to identify the individual
• Medical or health information, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional

The definition excludes publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Expanded Definition Under SB 1038

In 2025, Hawaii introduced SB 1038, which proposes updating and expanding the definition of personal information. The bill would add new categories of "identifiers" and "specified data elements," including email addresses combined with passwords, biometric data, and security codes. This expansion reflects recommendations from the Twenty-First Century Privacy Law Task Force to align Hawaii's definitions with more comprehensive state privacy laws.

What Triggers a Notification

A "security breach" under Hawaii law means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur, and that creates a risk of harm to a person.

Two key points distinguish Hawaii's trigger:

Risk of harm required. Not every unauthorized access requires notification. The entity must determine that illegal use has occurred or is reasonably likely to occur and that the breach creates a risk of harm.

Encrypted data exception. If the breached records were encrypted, no notification is required unless the encryption key or confidential process was also compromised in the same incident.

Notification Timeline and Requirements

Timeline

Hawaii does not set a specific number of days for notification. Instead, the law requires disclosure "without unreasonable delay," consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

This flexible standard gives businesses some room to investigate the breach before notifying, but it also means that the Hawaii Office of Consumer Protection or a court can determine after the fact whether a delay was unreasonable.

Methods of Notification

Businesses can provide notice through:

• Written notice sent to the last known mailing address
• Electronic notice consistent with federal E-SIGN Act requirements
• Substitute notice if the cost of direct notice would exceed $100,000, the affected class exceeds 200,000 people, or the business does not have sufficient contact information. Substitute notice requires email notice (if available), conspicuous posting on the business's website, and notification to major statewide media.

Content of Notification

The notification must include a description of the categories of personal information that were subject to the unauthorized access and acquisition.

Government Agency Reporting

When a breach affects more than 1,000 Hawaii residents, businesses must also provide written notice to the Office of Consumer Protection at the Department of Commerce and Consumer Affairs.

Third-Party Agent Obligations

Businesses located in Hawaii that maintain or possess records containing personal information they do not own or license must notify the owner or licensee of the information immediately following discovery of the breach.

Penalties and Enforcement

Civil Penalties

Any business that violates any provision of Chapter 487N faces penalties of up to $2,500 per violation under HRS 487N-3. The Attorney General or the executive director of the Office of Consumer Protection may bring enforcement actions.

Private Right of Action

Hawaii is one of the few states that grants individuals a private right of action for data breach notification violations. Any business that violates Chapter 487N is liable to the injured party for actual damages sustained as a result of the violation. Courts may award reasonable attorney's fees to the prevailing party.

This provision gives Hawaii residents meaningful recourse. Unlike states where only the Attorney General can act, affected individuals in Hawaii can pursue their own claims in court.

Waiver Prohibition

Any waiver of the provisions of Chapter 487N is contrary to public policy and is void and unenforceable. This means businesses cannot include clauses in contracts or terms of service that attempt to waive a consumer's rights under the breach notification law.

HIPAA Safe Harbor

Healthcare providers and health plans that comply with the privacy and security standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are deemed in compliance with Hawaii's notification requirements. This avoids duplicative obligations for HIPAA-covered entities that already maintain breach notification procedures under federal law.

How Hawaii Compares to Other States

Hawaii's breach notification law has several features that set it apart from many other states.

Covers paper records. Many states only require notification for breaches of computerized data. Hawaii covers personal information "in any form," including paper records.

Private right of action. Most states limit enforcement to the attorney general. Hawaii allows individuals to sue directly for actual damages and attorney's fees.

No specific day count. Unlike states that set 30, 45, or 60-day deadlines, Hawaii uses the "without unreasonable delay" standard. This provides flexibility but also creates uncertainty.

Health information included. Hawaii's definition of personal information includes medical history, mental and physical conditions, and health insurance information, which some states do not include.

Lower per-violation penalty. At $2,500 per violation, Hawaii's penalty is lower than states like California ($7,500 per intentional violation) or the $500,000 caps found in Alabama and Arizona.

More Hawaii Laws

• Hawaii Recording Laws
• Hawaii Data Privacy Laws
• Hawaii Recording Laws
• Hawaii Dog Bite Laws
• Hawaii Whistleblower Laws
• Hawaii Data Privacy Laws
• Hawaii Recording Laws
• Hawaii Recording Laws

This article provides general legal information about Hawaii data breach notification laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Hawaii for advice about your specific situation.