Hawaii State Victim Resources:
Agencies that offer assistance to IDT victims:
Legal Aid Society of Hawaii
Security Freeze Law:
All Hawaii consumers are allowed to place security freezes on their consumer credit reports to prevent new accounts from being opened in their names. Such a freeze enables the consumer to prevent anyone from looking at his/her credit file for the purpose of granting credit unless the consumer chooses to allow a particular business look at the information. To request a freeze, a consumer must request one in writing by certified mail.
Consumer reporting agencies may charge a fee of $5 to place, lift, or remove a security freeze from the consumer’s credit report. However, victims of identity theft with a valid police report or investigative complaint may not be charged.
The reporting agency must place the freeze within five business days after receiving the request, and within ten days must send a written confirmation of the freeze and provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time. Requests for a temporary unlocking of the freeze must be completed within three business days.
Department of Commerce and Consumer Affairs “Credit Security Freeze”
How to Obtain a Security Freeze in Hawaii:
Mandatory Police Report Law for Identity Theft Victims:
No State law at this time.
Identity Theft Passport Law:
No State law at this time.
Identity Theft Laws:
A person commits the offense of identity theft in the first degree if he makes or causes to be made, either directly or indirectly, a transmission of any personal information of another by any oral statement, any written statement, or any statement conveyed by any electronic means, with the intent to:
- Facilitate the commission of a murder in any degree, a class A felony, kidnapping, unlawful imprisonment in any degree, extortion in any degree, any firearms or weapons offense, criminal property damage in the first or second degree, escape in any degree, any offense related to witness or jury intimidation or bribery, rioting, or any organized crime offense; or
- Commit the offense of theft in the first degree from the person whose personal information is used, or from any other person or entity. Theft in the first degree involves property or services valued over $20,000.
Identity theft in the first degree is a class A felony, punishable by up to twenty years in prison and/or a fine up to $50,000 Statute: §708-839.6.
A person commits identity theft in the second degree if the intent is to commit the offense of theft in the second degree from any person or entity. Theft in the second degree involves property or services valued over $300. Violations are a class B felony, punishable by up to ten years in prison and/or a fine up to $25,000.
Identity theft in the third degree involves the intent to commit the offense of theft in the third (over $100) or fourth degree (less than $100). Violations are a class C felony, punishable by up to five years in prison and/or a fine up to $10,000.
“Personal information” means information associated with an actual person or a fictitious person that is a name, an address, a telephone number, an electronic mail address, a driver’s license number, a Social Security number, an employer, a place of employment, information related to employment, an employee identification number, a mother’s maiden name, an identifying number of a depository account, a bank account number, a password used for accessing information, or any other name, number, or code that is used, alone or in conjunction with other information, to confirm the identity of an actual or a fictitious person.
A person commits the offense of unauthorized possession of confidential personal information if he intentionally or knowingly possesses, without authorization, any confidential personal information of another in any form, including but not limited to mail, physical documents, identification cards, or information stored in digital form. Violations are a class C felony. This law targets people who possess personal information who have not yet caused a monetary loss to the victim.
A person commits the crime of obtaining a government-issued identification document under false pretenses if he, with intent to mislead a public servant, obtains an identification document issued by the state or any political subdivision thereof by making any statement, oral or written, that the person does not believe to be true, in an application for any government-issued identification document; or submits or invites reliance on any writing that the person knows to be falsely made, completed, or altered. It is obtaining a government-issued identification document under false pretenses in the first degree if there is intent to facilitate a felony. This is a class C felony. If there is no intent to commit a felony, it is a second-degree crime, a misdemeanor offense, punishable by up to one year in jail and/or a fine up to $2000.
Other Related Laws:
A person commits the crime of making a false statement to procure issuance of a credit card if he makes or causes to be made, either directly or indirectly, any false statement in writing, knowing it to be false, and with intent that it be relied on, respecting the person’s identity or that of any other person, firm, or corporation, for the purpose of procuring the issuance of a credit card. Violations are a misdemeanor.
A person commits the crime of credit card theft if he takes a credit card from the person, possession, custody, or control of another without the cardholder’s consent; or who, with knowledge that it has been so taken, receives the credit card with intent to use it or sell it, or transfer it to a person other than the issuer or the cardholder. If a person has in his possession or control credit cards issued in the names of two or more other people, which have been taken or obtained fraudulently, it is prima facie evidence that the person knew that the credit cards had been taken or obtained without the cardholder’s consent.
Credit card theft also applies to a person who receives a credit card knowing it to have been lost, mislaid, or delivered under a mistake as to the identity or address of the cardholder, and who retains possession with intent to use, sell, or transfer it. Selling a credit card, other than the issuer, or buying a credit card from someone other than the issuer is also covered under credit card theft. Violations are a class C felony.
A person commits the offense of fraudulent use of a credit card, if with intent to defraud the issuer, or another person or organization providing money, goods, services, or anything else of value, or any other person, if he:
- Uses or attempts or conspires to use, for the purpose of obtaining money, goods, services, or anything else of value, uses a credit card obtained or retained fraudulently.
- Obtains or attempts or conspires to obtain money, goods, services, or anything else of value
- by representing without the consent of the cardholder that the person is the holder of a specified card or by representing that the person is the holder of a card and such card has not in fact been issued.
- Uses or attempts or conspires to use a credit card number without the consent of the cardholder for the purpose of obtaining money, goods, services, or anything else of value.
Violations are a class C felony if the value of all money, goods, services, and other things of value obtained or attempted to be obtained exceeds $300 in any six-month period. Each separate use of a credit card that exceeds $300 constitutes a separate offense. It is a misdemeanor if the value is under $300 in a six-month period.
Disposal of Records:
To prevent identity theft, state law restricts how businesses and government agencies can dispose of paper records with personal identifying information about individuals. The law requires businesses and state or local government agencies to take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. This includes implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information and the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot be practicably read or reconstructed. Violations are punishable by a civil penalty not to exceed $2,500 for each violation, injunctive relief and actual damages, costs and reasonable attorney’s fees.
The law defines personal information as an individual’s first name or initial and last name in combination with any or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver’s license number or Hawaii identification card number; or account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account. It does not include publicly available information.
Social Security Numbers:
State law places limits on the use and dissemination of Social Security numbers (SSNs). The law prohibits businesses or government agencies from:
- Intentionally communicating or otherwise making available to the general public an individual’s entire SSN;
- Intentionally printing or imbedding an individual’s entire SSN on any card required to access products or services provided by the person or entity;
- Requiring an individual to transmit his entire SSN over the internet, unless the connection is secure or the social security number is encrypted;
- Requiring an individual to use his entire SSN to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website;
- Printing an individual’s entire SSN on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.
- While mailing certain documents with a SSN is permitted or required by law, the SSN, in whole or in part, may not be printed on a postcard or other mailer not requiring an envelope or visible on the envelope or without the envelope having been opened.
Unauthorized use of a Social Security number is punishable by a $2,500 fine per violation. An injured individual may recover actual damages.
State law requires state and local government agencies that collect person information for specific government purposes and businesses that own or license personal information of residents in Hawaii to notify consumers when their personal information is compromised during a security breach, putting them at risk of identity theft. A security breach occurs upon “unauthorized access to and acquisition of unencrypted or un-redacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.” It also includes any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key.
Personal information is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number, driver’s license number or Hawaii identification card number, or account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account. It does not include publicly available information. Disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system. The notice must be clear and conspicuous, including a description of the following: the incident in general terms; the type of personal information that was subject to the unauthorized access and acquisition; the general acts of the business or government agency to protect the personal information from further unauthorized access; a telephone number that the person may call for further information and assistance, if one exists; and advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. The Hawaii Office of Consumer Protection and the consumer reporting agencies must also be notified when the breach is disclosed to more than 1,000 people at a time
Notification can be provided to the affected persons by mail, e-mail, or telephone. If the cost of providing regular notice would exceed $100,000, the amount of people to be notified exceeds 200,000, or the agency or business does not have sufficient contact information, substitute notice may be provided. When substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the entity’s web site, and notification to major statewide media.