What compliance does my Hawaii business need in 2026? A decision guide

The baseline: Hawaii state law applies to every business

Before any federal or industry framework enters the picture, Hawaii law sets a floor. Hawaii Revised Statutes Chapter 487N — the state data breach notification statute — requires any business holding personal information of Hawaii residents to notify those residents without unreasonable delay when an unauthorized acquisition of unencrypted personal data occurs. If more than 1,000 residents are affected, the business must also notify the Hawaii Office of Consumer Protection and the major consumer reporting agencies. Encrypted data is a documented safe harbor — the single best reason to encrypt customer data at rest and in transit even when no other framework applies.

Hawaii does not yet have a comprehensive consumer privacy law. The Hawaii Office of Consumer Protection has publicly supported the federal SECURE Data Act in 2026. Until federal legislation passes, Hawaii businesses with customers in California, Colorado, Virginia, or other privacy-law states pick up cross-border obligations. A Honolulu firm selling SaaS to California consumers is likely subject to the CCPA. Map customer geography before you map compliance.

The decision tree: which frameworks apply to your Hawaii business?

Use the following questions in order. Each "yes" adds a framework to your compliance stack. Most Hawaii SMBs end up with two to four.

1. Do you store, process, or transmit cardholder data?

If your business accepts credit card payments — at the counter, online, by phone, or any combination — PCI DSS 4.0.1 applies. There is no size threshold. Version 4.0.1 is the only active version; v3.2.1 retired March 31, 2024. All 51 future-dated v4.x requirements moved from best practice to mandatory on March 31, 2025. In 2026 every requirement is a hard pass/fail line item in the annual assessment, with no transition window remaining.

For a Hawaii merchant: documented network segmentation around the CDE, MFA into the CDE, anti-phishing controls (DMARC, SPF, DKIM), 12-character passwords or equivalent, authenticated vulnerability scanning, and a current in-scope component inventory. A hosted processor (Stripe, Square, Toast) shrinks scope to SAQ A or A-EP but does not eliminate the requirement.

2. Do you touch protected health information?

HIPAA applies if your Hawaii business is a covered entity (healthcare provider, health plan, or clearinghouse) or a business associate (IT vendor, billing service, cloud host, MSP) that handles PHI for one of those entities. A neighbor-island PT clinic is a covered entity. The Oahu MSP that backs up its servers is a business associate. Both owe the HIPAA Security Rule administrative, physical, and technical safeguards. For the full controls map see HIPAA IT controls for Hawaii medical practices in 2026.

3. Are you a non-bank financial institution under the FTC Safeguards Rule?

The FTC Safeguards Rule (16 CFR Part 314) reaches further than most Hawaii business owners realize. It covers CPAs and tax preparers, bookkeepers, payroll providers, mortgage brokers, auto dealers that offer financing, real-estate settlement services, check cashers, wire transferors, and several adjacent categories. Core provisions have been enforceable since June 9, 2023. The breach notification amendment — notify the FTC within 30 days of discovering a security event involving 500 or more consumers' unencrypted personal information — took effect May 13, 2024. Notice is filed electronically through the FTC Safeguards Rule portal.

Covered Hawaii firms must designate a Qualified Individual, conduct a written risk assessment, encrypt customer information at rest and in transit, implement MFA, run continuous monitoring or annual penetration testing plus semi-annual vulnerability scans, train staff, oversee service providers with written security clauses, maintain a written IR plan, and report annually to leadership. A small-firm exemption (fewer than 5,000 consumer records) carves out the written risk assessment, monitoring/pen-testing, IR plan, and annual report — but MFA, encryption, the Qualified Individual, training, and service-provider oversight still apply.

4. Do you hold a DoD contract or subcontract?

CMMC applies if your Hawaii business holds a DoD contract or subcontract and handles Federal Contract Information or Controlled Unclassified Information. For most Hawaii SMBs in the defense supply chain that means CMMC Level 2 against NIST SP 800-171, with a third-party assessment cadence that varies by program. Pearl Harbor adjacent contractors, federal facilities engineers, defense logistics suppliers, and DoD IT subcontractors are the common Hawaii populations.

5. Do enterprise customers require SOC 2?

SOC 2 is not legally required. Enterprise customers use it as their due-diligence gate. If your Hawaii business sells software, IT services, financial services, or operations support to companies with mature procurement, you will be asked for a SOC 2 Type II. Many Hawaii MSPs, SaaS firms, and fintechs carry it because they cannot close enterprise deals without it. For cost trade-offs across CMMC, SOC 2, and HIPAA see CMMC vs SOC 2 vs HIPAA for Hawaii SMBs.

Sample stacks: what real Hawaii businesses end up with

• Waikiki boutique hotel, 40 rooms: Hawaii data breach law plus PCI DSS 4.0.1. If guests include California residents above CCPA thresholds, add cross-border privacy obligations. Cyber insurance carrier imposes its own controls — see cyber insurance renewal in Hawaii.
• Honolulu CPA firm, 15 staff: Hawaii data breach law plus FTC Safeguards Rule (full obligations if 5,000+ client records). Many CPA firms also pursue SOC 2 to land institutional or RIA clients.
• Neighbor-island specialty clinic, 8 providers: Hawaii data breach law plus HIPAA covered entity. If the clinic accepts cards, PCI DSS 4.0.1 stacks on top. The clinic's IT vendor is a HIPAA business associate with its own obligations.

The common control set that satisfies most of them at once

The frameworks differ in language and audit format but overlap heavily on the underlying controls. A Hawaii SMB program built once satisfies material portions of multiple frameworks at the same time. The minimum stack worth standing up in 2026:

1. A written information security program (WISP) — the umbrella document. The IRS Publication 5708 template is a free starting point that is well-aligned to the FTC Safeguards Rule and acceptable as a foundation for most other frameworks.
2. MFA on every identity — required by FTC Safeguards Rule, PCI DSS 4.0.1, HIPAA Security Rule guidance, CMMC, and the security questionnaires SOC 2 auditors expect. Phishing-resistant by 2026 — see our Entra passkeys piece.
3. Encryption at rest and in transit — the documented Hawaii breach-law safe harbor and a mandatory control under PCI DSS 4.0.1, FTC Safeguards Rule, HIPAA Security Rule, and CMMC.
4. A designated security owner — Qualified Individual under FTC Safeguards Rule, Security Officer under HIPAA, named owner under PCI DSS Requirement 12.
5. Annual written risk assessment — required under FTC Safeguards Rule, HIPAA, PCI DSS, and CMMC.
6. Vendor security clauses in every contract — required under FTC Safeguards Rule and HIPAA business associate agreements, expected under PCI DSS and SOC 2.
7. Written incident response plan, rehearsed twice a year — required under FTC Safeguards Rule (above the small-firm exemption), HIPAA, and PCI DSS 4.0.1.
8. Security awareness training, refreshed annually — required across every framework.
9. Breach notification procedures aligned to Hawaii's statute plus any federal counterpart that applies (FTC 30-day rule for 500+ consumers; HHS for HIPAA; payment brand notification for PCI).
10. Patching SLA aligned to CISA KEV — increasingly expected by insurers and assessors. See CISA KEV and the SMB patching SLA.

Build these once and map them to each framework. Audit work in year two and beyond becomes maintenance, not reinvention.

What does this cost a Hawaii business in 2026?

The bigger cost driver is framework count, not framework choice. One framework typically runs $15,000 to $45,000 per year (tooling, MFA licensing, training, assessor fees, IT time). Two frameworks: $25,000 to $70,000. Three or more: $45,000 to $120,000+. For the MSP cost component see our managed IT cost in Hawaii breakdown and the managed IT overview.

Common Hawaii compliance mistakes to avoid in 2026

• Assuming Hawaii's lack of a privacy law means no obligations. State breach statute, federal frameworks, and cross-border privacy law combine to put almost every Hawaii business in scope of something.
• Outsourcing without an agreement. A Hawaii MSP, accountant, or cloud provider that handles your customer data is your vendor under every framework. No written security agreement, no compliance.
• Treating PCI DSS as a once-a-year checkbox. Version 4.0.1 requires continuous evidence of operation. A control implemented in March 2025 and never operated cannot demonstrate 12 months of operation in a 2026 assessment.
• Misreading the FTC Safeguards Rule small-firm exemption. MFA, encryption, the Qualified Individual, training, vendor oversight, and the 30-day breach notification have no small-firm carve-out.
• Underestimating cross-border state privacy laws. A Hawaii e-commerce business shipping to California consumers may have CCPA obligations regardless of physical location.

For a worked compliance map against your customer geography and data types, see cybersecurity, the SOC overview, and contact. The NIST Small Business Cybersecurity Corner publishes free templates that map cleanly to the frameworks above.

Frequently asked questions

What compliance does my Hawaii business need in 2026?

Every Hawaii business in 2026 is subject to Hawaii's state data breach notification law (HRS Chapter 487N). On top of that, the federal and industry frameworks that may apply depend on what data the business handles: PCI DSS 4.0.1 if you accept card payments, HIPAA if you handle protected health information, the FTC Safeguards Rule if you provide financial services or tax preparation, CMMC if you hold DoD contracts, and SOC 2 if enterprise customers require it. Most Hawaii SMBs land in two to four of these at once.

Does Hawaii have a state privacy law in 2026?

Hawaii does not have a comprehensive state privacy law on the books in 2026. Hawaii's Office of Consumer Protection has publicly supported strong federal privacy legislation through the SECURE Data Act. What Hawaii does have is the data breach notification statute (HRS Chapter 487N), which requires businesses to notify affected residents and the Office of Consumer Protection within a reasonable time when personal information is compromised.

Does PCI DSS 4.0.1 apply to a Hawaii small business that takes credit cards?

Yes. PCI DSS 4.0.1 applies to any business that stores, processes, or transmits cardholder data, including the smallest Hawaii merchants. Version 4.0.1 is the only active version of the standard; v3.2.1 retired on March 31, 2024. All 51 future-dated v4.x requirements became mandatory on March 31, 2025, with no remaining grace period. Hawaii merchants that have not refreshed since v3.2.1 are now assessing against a withdrawn standard.

Does the FTC Safeguards Rule apply to my Hawaii business?

Yes if your business is a non-bank financial institution under the rule's broad definition: CPAs and tax preparers, bookkeepers, payroll providers, mortgage brokers, auto dealers offering financing, real-estate settlement services, and several others. Core provisions have been enforceable since June 9, 2023. The 30-day FTC breach notification for events involving 500 or more consumers took effect May 13, 2024. Hawaii firms below 5,000 consumer records get a partial exemption but still owe MFA, encryption, and a written program.

What does Hawaii's data breach notification law require in 2026?

Hawaii Revised Statutes Chapter 487N requires any business holding personal information of Hawaii residents to notify affected individuals without unreasonable delay when an unauthorized acquisition of unencrypted personal data occurs. If more than 1,000 residents are affected, the business must also notify the Office of Consumer Protection and the major consumer reporting agencies. Penalties are administrative fines per violation and private right of action for affected individuals. Encryption is a documented safe harbor.

When does a Hawaii business need CMMC, SOC 2, or HIPAA?

CMMC applies if you hold DoD contracts or subcontracts and handle Federal Contract Information or Controlled Unclassified Information. SOC 2 is not legally required but is contractually required by enterprise customers in tech, finance, and healthcare verticals. HIPAA applies if your Hawaii business is a healthcare provider, plan, clearinghouse, or any business associate (IT vendor, billing service, MSP) that touches protected health information for one of those entities.

What is the minimum compliance stack for a typical Hawaii small business in 2026?

A practical 2026 minimum for most Hawaii SMBs: a written information security program (WISP), MFA on every identity, encryption at rest and in transit, a designated security owner (Qualified Individual or named officer), annual risk assessment, vendor security clauses in contracts, a written incident response plan, security awareness training, and breach notification procedures aligned to Hawaii's statute. This baseline satisfies most of the FTC Safeguards Rule and large portions of PCI DSS, HIPAA, and CMMC Level 2 simultaneously.

Authoritative references: FTC Safeguards Rule, NIST Small Business Cybersecurity Corner, and Hawaii Office of Consumer Protection.