00 CS FOR SENATE BILL NO. 222(JUD) 01 "An Act relating to breaches of security involving personal information, credit report 02 security freezes, consumer credit monitoring, credit accuracy, protection of social 03 security numbers, disposal of records, factual declarations of innocence after identity 04 theft, filing police reports regarding identity theft, furnishing consumer credit header 05 information, and truncation of credit and debit card information; and amending Rule 06 60, Alaska Rules of Civil Procedure." 07 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 08  * Section 1. AS 45 is amended by adding a new chapter to read: 09 Chapter 48. Personal Information Protection Act.  10 Article 1. Breach of Security Involving Personal Information.  11 Sec. 45.48.010. Disclosure of breach of security. (a) If a person owns or uses 12 personal information that includes personal information on a state resident, and a 13 breach of the security of the information system containing the personal information 01 occurs, the person shall, after discovering or being notified of the breach, disclose the 02 breach to each state resident whose personal information was subject to the breach. 03 (b) An information collector shall make the disclosure required by (a) of this 04 section in the most expedient time possible and without unreasonable delay, except as 05 provided in AS 45.48.020 and as necessary to determine the scope of the breach and 06 restore the reasonable integrity of the information system. 07 Sec. 45.48.020. Allowable delay in notification. An information collector 08 may delay disclosing the breach under AS 45.48.010 if an appropriate law 09 enforcement agency determines that disclosing the breach will interfere with a 10 criminal investigation and provides the information collector with a written request for 11 the delay. However, the information collector shall disclose the breach to the state 12 resident as soon as the law enforcement agency informs the information collector in 13 writing that disclosure of the breach will no longer interfere with the investigation 14 Sec. 45.48.030. Methods of notice. An information collector shall make the 15 disclosure required by AS 45.48.010 16 (1) by a written document; 17 (2) by electronic means if making the disclosure by the electronic 18 means is consistent with the provisions regarding electronic records and signatures 19 required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. 20 (Electronic Signatures in Global and National Commerce Act); or 21 (3) if the information collector demonstrates that the cost of providing 22 notice would exceed $250,000, that the affected class of state residents to be notified 23 exceeds 500,000, or that the information collector does not have sufficient contact 24 information to provide notice, by 25 (A) electronic mail if the information collector has an 26 electronic mail address for the state resident; 27 (B) conspicuously posting the disclosure on the Internet 28 website of the information collector if the information collector maintains an 29 Internet site; and 30 (C) providing a notice to major statewide media. 31 Sec. 45.48.040. Exception for employees and agents. In AS 45.48.010 - 01 45.48.090, the good faith acquisition of personal information by an employee or agent 02 of an information collector for a legitimate purpose of the information collector is not 03 a breach of the security of the information system if the employee or agent does not 04 use the personal information for a purpose unrelated to a legitimate purpose of the 05 information collector and does not make further unauthorized disclosure of the 06 personal information. 07 Sec. 45.48.050. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 08 unenforceable. 09 Sec. 45.48.060. Violations. (a) If an information collector violates 10 AS 45.48.010 - 45.48.090 with regard to the personal information of an individual, the 11 individual or a state agency may bring a civil action in court to 12 (1) recover the damages suffered by the state resident; 13 (2) enjoin from further violations of AS 45.48.010 - 45.48.090 an 14 information collector who engages in business and the security breach occurred to the 15 personal information used or owned by the information collector in the business. 16 (b) The rights and remedies available under this section are in addition to any 17 other rights and remedies available under another law. 18 (c) In this section, "state agency" means 19 (1) a department, division, or office in the executive branch of state 20 government that has authority under the statutes of this state to regulate the operation 21 of the information collector; or 22 (2) the Department of Law if another state agency does not have 23 authority under the statutes of this state to regulate the operation of the information 24 collector. 25 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 26 (1) "breach of the security" means unauthorized acquisition, or 27 reasonable belief of unauthorized acquisition, of personal information that 28 compromises the security, confidentiality, or integrity of the personal information 29 maintained by the information collector; in this paragraph, "acquisition" includes 30 acquisition by 31 (A) photocopying, facsimile, or other paper-based method; 01 (B) a device, including a computer, that can read, write, or 02 store information that is represented in numerical form; or 03 (C) a method not identified by (A) or (B) of this paragraph; 04 (2) "information collector" means a person who owns or uses personal 05 information in any form if the personal information includes personal information on a 06 state resident; 07 (3) "personal information" means information in any form on an 08 individual that is not encrypted or redacted, or is encrypted and the encryption key has 09 been accessed or acquired, and that consists of a combination of 10 (A) an individual's name, address, or telephone number; in this 11 subparagraph, "individual's name" means a combination of an individual's 12 (i) first name or first initial; and 13 (ii) last name; and 14 (B) one or more of the following information elements: 15 (i) the individual's social security number; 16 (ii) the individual's driver's license number or state 17 identification card number; 18 (iii) the individual's account number, credit card 19 account number, or debit card account number; 20 (iv) account passwords or personal identification 21 numbers or other access codes. 22 Article 2. Credit Report Security Freeze.  23 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 24 consumer credit reporting agency from releasing all or a part of the consumer's credit 25 report or information derived from the credit report without the express authorization 26 of the consumer by placing a security freeze on the consumer's credit report. 27 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a 28 consumer shall make the request to the consumer credit reporting agency 29 (1) by certified mail; 30 (2) by telephone if the consumer provides the consumer credit 31 reporting agency with certain personal identification; or 01 (3) through a secure electronic mail connection if the consumer credit 02 reporting agency makes a secure electronic mail connection available to the consumer. 03 (b) A consumer credit reporting agency shall place a security freeze within 04 five business days after receiving a request under (a)(1) of this section and 05 immediately after receiving a request under (a)(2) or (3) of this section. 06 Sec. 45.48.120. Confirmation of security freeze. (a) Within five business 07 days after a consumer makes the request under AS 45.48.110, a consumer credit 08 reporting agency shall send a written confirmation of the placement of the security 09 freeze to the consumer. 10 (b) At the same time that the consumer credit reporting agency sends a 11 confirmation under (a) of this section, the consumer credit reporting agency shall 12 provide the consumer with a unique personal identification number or password to be 13 used by the consumer when the consumer authorizes the release of the consumer's 14 credit report or information derived from the report under AS 45.48.130. 15 Sec. 45.48.130. Access and actions during security freeze. (a) While a 16 security freeze is in place, a consumer credit reporting agency shall allow a third party 17 access to a consumer's credit report or information derived from the credit report if the 18 consumer requests that the consumer credit reporting agency allow the access. 19 (b) To make a request under (a) of this section, the consumer shall contact the 20 consumer credit reporting agency by telephone, certified mail, or secure electronic 21 mail connection, authorize the consumer credit reporting agency to allow the access, 22 and provide the consumer credit reporting agency with 23 (1) proper identification to verify the consumer's identity; 24 (2) the unique personal identification number or password provided 25 under AS 45.48.120(b); and 26 (3) the proper information necessary to identify the third party to 27 whom the consumer credit reporting agency may allow the access or the time period 28 during which the consumer credit reporting agency may allow the access to third 29 parties who request the access. 30 (c) A consumer credit reporting agency that receives a request from a 31 consumer under (b) of this section shall comply with the request immediately after 01 receiving the request by telephone or electronic mail or within three business days 02 after receiving the request by certified mail. 03 (d) If a security freeze is in place, a consumer credit reporting agency may not 04 release the credit report or information derived from the credit report to a third party 05 without the prior express authorization of the consumer. 06 (e) If a security freeze is in place on a consumer's credit report and 07 information derived from the credit report and if a third party applies to a consumer 08 credit reporting agency to provide the third party with access to the consumer's credit 09 report or information derived from the credit report, the consumer credit reporting 10 agency and, except as provided for insurers under (f) of this section, the third party 11 may treat the third party's application as incomplete unless the consumer authorizes 12 the access under (a) of this section. 13 (f) If an insurer requests access to a consumer report on which a security 14 freeze is in place, unless the consumer authorizes access under (a) of this section, the 15 insurer may 16 (1) treat the consumer's application as incomplete; 17 (2) decline the consumer's application if the consumer does not lift the 18 security freeze for the insurer after a request by the insurer or the insurer's agent; 19 (3) treat the consumer as if the consumer has a neutral credit rating; 20 (4) exclude the use of credit information as a factor and use only 21 underwriting criteria; or 22 (5) treat the consumer in a manner that is otherwise approved by the 23 division of insurance. 24 (g) A consumer credit reporting agency shall notify a consumer that a third 25 party has attempted to access the consumer's credit report or information derived from 26 the report if a third party requests a consumer credit reporting agency to provide the 27 third party with access to the credit report or information, a security freeze has been 28 placed, and the purpose of the access is not for the sole purpose of account review. 29 (h) This section is not intended to prevent a consumer credit reporting agency 30 from advising a third party that requests access to a consumer's credit report or 31 information derived from the credit report that a security freeze is in effect. 01 (i) The procedures used by a consumer credit reporting agency for 02 implementing the provisions of this section may include the use of telephone, 03 facsimile, or electronic means if making the disclosure by the electronic means is 04 consistent with the provisions regarding electronic records and signatures required for 05 notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic 06 Signatures in Global and National Commerce Act), Internet, electronic mail, or 07 another electronic method. 08 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 09 AS 45.48.130, a consumer credit reporting agency may not remove a security freeze 10 unless 11 (1) the consumer requests that the consumer credit reporting agency 12 remove the security freeze under (b) of this section; or 13 (2) the consumer made a material misrepresentation of fact to the 14 consumer credit reporting agency when the consumer requested the security freeze 15 under AS 45.48.110; if a consumer credit reporting agency intends to remove a 16 security freeze on a consumer's credit report under this paragraph, the consumer credit 17 reporting agency shall notify the consumer in writing five business days before 18 removing the security freeze. 19 (b) A consumer credit reporting agency shall remove a security freeze 20 immediately after receiving a request for removal from the consumer who requested 21 the security freeze if the consumer provides proper identification to identify the 22 consumer and the unique personal identification number or password provided by the 23 consumer credit reporting agency under AS 45.48.120. 24 Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer 25 credit reporting agency may not suggest, state, or imply that a consumer's security 26 freeze reflects a negative credit score, history, report, or rating. 27 Sec. 45.48.160. Charges. (a) Except as provided by (b) of this section, a 28 consumer credit reporting agency may not charge a consumer to place or remove a 29 security freeze, to provide access under AS 45.48.130, or to take any other action, 30 including the issuance of a personal identification number or password under 31 AS 45.48.120, that is related to the placement of, removal of, or allowing access to a 01 credit report or information derived from a credit report on which a security freeze has 02 been placed. 03 (b) If a consumer fails to retain a personal identification number or password 04 issued under AS 45.48.120, a consumer credit reporting agency may charge the 05 consumer up to $5 for each time after the first time that the consumer credit reporting 06 agency issues the consumer another personal identification number or password 07 because the consumer failed to retain the personal identification number or password.  08 Sec. 45.48.170. Notice of rights. When a consumer credit reporting agency is 09 required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit 10 Reporting Act), a consumer credit reporting agency shall also give the consumer the 11 following notice: 12 Consumers Have the Right to Obtain a Security Freeze  13 You may obtain a security freeze on your credit report at no 14 charge to protect your privacy and ensure that credit is not granted in 15 your name without your knowledge. You have a right to place a 16 "security freeze" on your credit report under state law (AS 45.48.100 - 17 45.48.290). 18 The security freeze will prohibit a consumer credit reporting 19 agency from releasing your credit score and any information in your 20 credit report without your express authorization or approval. 21 The security freeze is designed to prevent credit, loans, and 22 other services from being approved in your name without your consent. 23 When you place a security freeze on your credit report, within five 24 business days you will be provided a personal identification number or 25 password to use if you choose to remove the freeze on your credit 26 report or to temporarily authorize the release of your credit report to a 27 specific third party or specific third parties or for a specific period of 28 time after the freeze is in place. To provide that authorization, you must 29 contact the consumer credit reporting agency and provide all of the 30 following: 31 (1) proper identification to verify your identity; 01 (2) the personal identification number or password 02 provided by the consumer credit reporting agency; 03 (3) proper information necessary to identify the third 04 party or third parties who are authorized to receive the credit report or 05 the specific period of time for which the report is to be available to 06 third parties. 07 A consumer credit reporting agency that receives your request 08 to temporarily lift a freeze on a credit report is required to comply with 09 the request immediately after receiving your request if you make the 10 request by telephone or electronic mail, or within three business days 11 after receiving your request if you make the request by certified mail. 12 A security freeze does not apply to circumstances where you 13 have an existing account relationship and a copy of your report is 14 requested by your existing creditor or its agents or affiliates for certain 15 types of account review, collection, fraud control, or similar activities. 16 If you are actively seeking credit, you should understand that 17 the procedures involved in lifting a security freeze may slow your own 18 applications for credit. You should plan ahead and lift a freeze, either 19 completely if you are shopping around, or specifically for a certain 20 creditor, a few days before actually applying for new credit. 21 You have a right to bring a civil action against someone who 22 violates your rights under these laws on security freezes. The action can 23 be brought against a consumer credit reporting agency. 24 Sec. 45.48.180. Notification after violation. If a consumer credit reporting 25 agency violates a security freeze by releasing a consumer's credit report or information 26 derived from the credit report, the consumer credit reporting agency shall notify the 27 consumer within five business days after the release, and the information in the notice 28 must include an identification of the information released and of the third party who 29 received the information. 30 Sec. 45.48.190. Violations and penalties. (a) A consumer who suffers 31 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an 01 action in court against the person and recover, in the case of a violation where the 02 person acted 03 (1) negligently, actual damages, including loss of wages, and, when 04 applicable, damages for pain and suffering; 05 (2) knowingly, 06 (A) damages as described in (1) of this subsection; 07 (B) punitive damages that are not less than $100 nor more than 08 $5,000 for each violation as the court determines to be appropriate; and 09 (C) other relief that the court determines to be appropriate. 10 (b) A consumer may bring an action in court against a person for a violation or 11 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 12 not the consumer seeks another remedy under this section. 13 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 14 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 15 allows. When determining the amount of an award in a class action under this 16 subsection, the court shall consider, among the relevant factors, the amount of any 17 actual damages awarded, the frequency of the violations, the resources of the violator, 18 and the number of consumers adversely affected. 19 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 20 Sec. 45.48.200. Limited application. A consumer credit information agency 21 may not release all or a part of the information on a consumer that the consumer credit 22 information agency has received from a consumer credit reporting agency if the 23 consumer has placed a security freeze on the consumer credit reporting agency under 24 AS 45.48.100. 25 Sec. 45.48.210. Reports not covered. The provisions of AS 45.48.100 - 26 45.48.290 do not apply to a credit report if the credit report is 27 (1) a report that only contains information relating to transactions or 28 experiences between the consumer and the person making the report; 29 (2) a communication of the information that is described in (1) of this 30 section or that is taken from a consumer's credit application if 31 (A) the communication is limited to internal communication 01 within the organization of the person making the report; and 02 (B) the consumer is informed by a clear and conspicuous 03 written disclosure that the information contained in the credit application may 04 be communicated as allowed under (A) of this paragraph, except that, if a 05 credit application is taken by telephone, the consumer shall initially be 06 informed orally when the application is taken, and a clear and conspicuous 07 written disclosure shall be made to the consumer in the first written 08 communication to the consumer after the application is taken; 09 (3) a report containing information solely about a consumer's 10 character, general reputation, personal characteristics, or mode of living and the 11 information is obtained through personal interviews with neighbors, friends, or 12 associates of the consumer reported on, or others with whom the consumer is 13 acquainted or who may have knowledge concerning those items of information; or 14 (4) a credit report furnished for use in connection with a transaction 15 that consists of an extension of credit to be used solely for a commercial purpose. 16 Sec. 45.48.220. Exemptions. The provisions of AS 45.48.100 - 45.48.290 do 17 not apply to the use of a credit report by 18 (1) a person, the person's subsidiary, affiliate, or agent, or the person's 19 assignee with whom a consumer has or, before the assignment, had an account, 20 contract, or debtor-creditor relationship if the purpose of the use is to review the 21 consumer's account or to collect a financial obligation owing on the account, contract, 22 or debt; 23 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 24 assignee of a person to whom access has been granted under AS 45.48.130 if the 25 purpose of the use is to facilitate the extension of credit or another permissible use; 26 (3) a person acting under a court order, warrant, or subpoena; 27 (4) an agency of a state or municipality that administers a program for 28 establishing and enforcing child support obligations; 29 (5) the Department of Health and Social Services, its agents, or its 30 assigns when investigating fraud; 31 (6) the Department of Revenue, its agents, or its assigns when 01 investigating or collecting delinquent taxes or unpaid court orders or when 02 implementing its other statutory responsibilities; 03 (7) a person if the purpose of the use is prescreening allowed under 15 04 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 05 (8) a person administering a credit file monitoring subscription service 06 to which the consumer has subscribed; 07 (9) a person providing a consumer with a copy of the consumer's credit 08 report or credit score at the consumer's request. 09 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 10 (1) "account review" means activities related to account maintenance, 11 account monitoring, credit line increases, and account upgrades and enhancements; 12 (2) "consumer" means an individual who is the subject of a credit 13 report; 14 (3) "consumer credit information agency" means a person who acts 15 only as a reseller of consumer information by assembling and merging information 16 contained in the data bases of consumer credit reporting agencies and does not 17 maintain a permanent data base of consumer information from which new consumer 18 credit reports are produced; 19 (4) "consumer credit reporting agency" has the meaning given in 20 AS 45.48.990, but does not include a consumer credit information agency; 21 (5) "security freeze" means a prohibition against a consumer credit 22 reporting agency from releasing all or a part of a consumer's credit report or 23 information derived from the credit report without the express authorization of the 24 consumer; 25 (6) "third party" means a person who is not 26 (A) the consumer who is the subject of the consumer's credit 27 report; or 28 (B) the consumer credit reporting agency that is holding the 29 consumer's credit report. 30 Article 3. Consumer Credit Monitoring; Credit Accuracy.  31 Sec. 45.48.300. Required disclosure. A consumer credit reporting agency 01 shall, if a consumer makes the request and the request is not covered by the free 02 disclosure provision of 15 U.S.C. 1681j(a) - (d) (Fair Credit Reporting Act), clearly 03 and accurately disclose to the consumer the information described under 04 AS 45.45.310. 05 Sec. 45.48.310. Information to be disclosed. (a) The following information 06 shall be disclosed under AS 45.45.300: 07 (1) all information in the consumer's file when the consumer makes the 08 request, except that this paragraph may not be construed to require a consumer credit 09 reporting agency to disclose information concerning credit scores, risk scores, or other 10 predictors that are governed by 15 U.S.C. 1681g; 11 (2) the sources of the information described in (1) of this subsection; 12 (3) an identification of each person, including each end user identified 13 under 15 U.S.C. 1681e, who procured a report on the consumer 14 (A) for employment purposes during the two-year period that 15 precedes the date when the consumer's request is made; or 16 (B) for a purpose other than employment purposes during the 17 one-year period that precedes the date when the consumer's request is made; 18 (4) the dates, original payees, and amounts of any checks that 19 (A) provide the basis for an adverse characterization of the 20 consumer; and 21 (B) are included in the file when the disclosure is made or can 22 be inferred from the file; 23 (5) a record of all inquiries that were received by the consumer credit 24 reporting agency during the one-year period that precedes the request and that identify 25 the consumer in connection with a credit or insurance transaction that was not initiated 26 by the consumer; and 27 (6) a statement that the consumer may request and obtain a credit score 28 if the consumer requests the credit file and not the credit score. 29 (b) The information to be disclosed under (a)(3) of this section must include 30 (1) the name of the person or, if applicable, the full trade name under 31 which the person conducts business; and 01 (2) the address and telephone number of the person if requested by the 02 consumer. 03 (c) A consumer credit reporting agency is not required to disclose the 04 information described in (a)(3) of this section if 05 (1) the end user is an agency of the United States government and 06 procures the consumer's credit report from the consumer credit reporting agency to 07 determine the eligibility of the consumer to receive access or continued access to 08 classified information; in this paragraph, "classified information" has the meaning 09 given in 15 U.S.C. 1681b; and 10 (2) the individual who is in charge of the end user makes a written 11 finding as prescribed under 15 U.S.C. 1681b(b)(4)(A). 12 Sec. 45.48.320. Cost of disclosure. (a) A consumer credit reporting agency 13 may impose a reasonable charge on a consumer for making a disclosure under 14 AS 45.48.300. The charge may not exceed 15 (1) $2 for each of the first 12 requests from the consumer in a calendar 16 year; 17 (2) $8 for each request beyond the 12 requests covered by (1) of this 18 subsection in a calendar year. 19 (b) The consumer credit reporting agency shall disclose the charge to the 20 consumer before making the disclosure under AS 45.48.300. 21 Sec. 45.48.330. Form of disclosure. (a) A consumer may make the request 22 under AS 45.48.300 in writing, in person, by telephone if the consumer has made a 23 written request for the disclosure, by electronic means if the consumer credit reporting 24 agency offers electronic access for any other purpose, or by any other reasonable 25 means that is available from the consumer credit reporting agency. 26 (b) To make a request in person under (a) of this section, the consumer shall, 27 after reasonable notice to the consumer credit reporting agency, appear during normal 28 business hours at the consumer credit reporting agency's place of business where the 29 consumer credit reporting agency normally provides disclosures under AS 45.48.300. 30 Sec. 45.48.340. Timing of disclosure. A consumer credit reporting agency 31 shall provide a consumer with the disclosure under AS 45.48.300 within 01 (1) 24 hours after the date on which the request is made if the 02 disclosure is made by electronic means under AS 45.48.330(a); or 03 (2) five days after the date on which the request is made if the 04 disclosure is made in writing, in person, by telephone, or by any other reasonable 05 means that is available from the consumer credit reporting agency, except by 06 electronic means. 07 Sec. 45.48.350. Credit accuracy. (a) A person who does business in the state 08 by distributing information about an individual's credit history, score, or ranking shall, 09 when notified that the information that the person is distributing is inaccurate, 10 immediately stop distributing the information until the accuracy of the information can 11 be verified or the inaccuracies in the information corrected. 12 (b) If a person who does business in the state by distributing information about 13 an individual's credit history, score, or ranking releases information about an 14 individual that is inaccurate, the person shall, as quickly as possible after discovering 15 that inaccurate information is being distributed, 16 (1) repair, to the extent possible, the damage to the individual caused 17 by the release of the inaccurate information; and 18 (2) pay fair and reasonable compensation to the individual for the 19 damage caused to the individual by the release of the inaccurate information. 20 (c) If a person fails to comply with (b) of this section, an individual may bring 21 an action in court to compel the person to comply with (b) of this section. 22 (d) In this section, "does business in the state" means engages in activities that 23 provide at least the minimum contacts required by substantive due process for the state 24 to exercise jurisdiction over the person who is engaging in the activities. 25 Article 4. Protection of Social Security Number.  26 Sec. 45.48.400. Use of social security number. (a) A person may not, without 27 the consent of the individual, 28 (1) intentionally communicate or otherwise make available to the 29 general public an individual's social security number; 30 (2) print an individual's social security number on a card required for 31 the individual to access products or services provided by the person; 01 (3) require an individual to transmit the individual's social security 02 number over the Internet unless the Internet connection is secure or the social security 03 number is encrypted; 04 (4) require an individual to use the individual's social security number 05 to access an Internet site unless a password, a unique personal identification number, 06 or another authentication device is also required in order to access the site; 07 (5) print an individual's social security number on material that is 08 mailed to the individual unless 09 (A) state or federal law requires the social security number to 10 be on the material; or 11 (B) the social security number is included on an application or 12 other form, including a document sent as a part of an application process or an 13 enrollment process, sent by mail to establish, amend, or terminate an account, a 14 contract, or a policy, or to confirm the accuracy of the social security number; 15 however, a social security number allowed to be mailed under this 16 subparagraph may not be printed, in whole or in part, on a postcard or other 17 mailer that does not require an envelope, or in a manner that makes the social 18 security number visible on the envelope or without the envelope being opened; 19 (6) refuse to do business with an individual because the individual 20 does not consent to the receipt by the person of the social security number of the 21 individual, unless the person is expressly required by state or federal law, in 22 connection with doing business with an individual, to collect or submit the individual's 23 social security number to the state or federal government; this paragraph does not 24 prohibit a person from asking for another form of identification from the individual. 25 (b) Unless expressly required by federal or state law, a person may not sell, 26 lease, loan, trade, rent, or otherwise disclose an individual's social security number to 27 a third party for any purpose without the individual's written consent. 28 Sec. 45.48.410. Additional governmental prohibition; social security  29 numbers. A person who is a state or local governmental agency, except for an agency 30 of the judicial branch, may not ask an individual to provide the agency with a social 31 security number unless state, federal, or local law expressly authorizes the agency to 01 ask the individual to provide the social security number to the agency. A state agency 02 may adopt regulations under AS 44.62 (Administrative Procedure Act) to implement 03 this section. 04 Sec. 45.48.415. Interagency disclosure. Notwithstanding the other provisions 05 of AS 45.48.400 - 45.48.420, a state or local governmental agency may disclose an 06 individual's social security number to another state or local governmental agency or to 07 an agency of the federal government if the disclosure is required in order for the 08 agency to carry out the agency's duties and responsibilities. 09 Sec. 45.48.420. Penalties. (a) A person who knowingly violates AS 45.48.400 10 is liable to the state for a civil penalty not to exceed $3,000. 11 (b) An individual may bring a civil action in court against a person who 12 knowingly violates AS 45.48.400 or 45.48.410 and may recover actual damages or 13 $5,000, whichever amount is greater, and court costs and attorney fees allowed by the 14 rules of court. 15 (c) A person who knowingly violates AS 45.48.400 is guilty of a class A 16 misdemeanor. 17 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 18 Article 5. Disposal of Records.  19 Sec. 45.48.500. Disposal of records. (a) A business and a governmental 20 agency shall take, in connection with and after the disposal of the records, all 21 reasonable measures necessary to protect against unauthorized access to or use of the 22 records of the business or governmental agency that contain personal information. 23 (b) Notwithstanding (a) of this section, if a business or governmental agency 24 has otherwise complied with the provisions of AS 45.48.500 - 45.48.590 in the 25 selection of a third party engaged in the business of record destruction, the business or 26 governmental agency is not liable for the disposal of records under AS 45.48.500 - 27 45.48.590 after the business or governmental agency has relinquished control of the 28 records to the third party for the destruction of the records. 29 Sec. 45.48.510. Measures to protect access. The measures required to be 30 taken under AS 45.48.500 include 31 (1) implementing and monitoring compliance with policies and 01 procedures that require the burning, pulverizing, or shredding of paper documents 02 containing personal information so that the personal information cannot practicably be 03 read or reconstructed; 04 (2) implementing and monitoring compliance with policies and 05 procedures that require the destruction or erasure of electronic media and other 06 nonpaper media containing personal information so that the personal information 07 cannot practicably be read or reconstructed; and 08 (3) after due diligence, entering into a written contract with a third 09 party engaged in the business of record destruction to dispose of records containing 10 personal information in a manner consistent with AS 45.48.500 - 45.48.590. 11 Sec. 45.48.520. Due diligence. In AS 45.48.510(3), due diligence ordinarily 12 includes performing one or more of the following: 13 (1) reviewing an independent audit of the third party's operations and 14 its compliance with AS 45.48.500 - 45.48.590; 15 (2) obtaining information about the third party from several references 16 or other reliable sources and requiring that the third party be certified by a recognized 17 trade association or similar organization with a reputation for high standards of quality 18 review; 19 (3) reviewing and evaluating the third party's information security 20 policies and procedures, or taking other appropriate measures to determine the 21 competency and integrity of the third party. 22 Sec. 45.48.530. Policy and procedures. A business or governmental agency 23 shall comprehensively describe and classify as the official policy of the business or 24 governmental agency in the writings of the business or governmental agency the 25 policies and procedures that relate to the adequate destruction and proper disposal of 26 personal records. In this section, "writings" includes corporate handbooks, employee 27 handbooks, and similar corporate documents. 28 Sec. 45.48.540. Exemption. A business or a governmental agency is not 29 required to comply with AS 45.48.500 - 45.48.530 if federal law requires that the 30 business or governmental agency act in a way that does not comply with AS 45.48.500 31 - 45.48.530. 01 Sec. 45.48.550. Civil penalty. An individual, a business, or a governmental 02 agency that knowingly violates AS 45.48.500 - 45.48.590 is liable to the state for a 03 civil penalty not to exceed $3,000. In this section, "knowingly" has the meaning given 04 in AS 11.81.900. 05 Sec. 45.48.560. Court action. An individual who is damaged by a violation of 06 AS 45.48.500 - 45.48.590 may bring a civil action in court to enjoin further violations 07 and to recover damages for the violation and court costs and attorney fees allowed by 08 the rules of court. 09 Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590, 10 (1) "business" means a person who conducts business in the state or a 11 person who conducts business and maintains or otherwise possesses personal 12 information on state residents; in this paragraph, 13 (A) "conducts business" includes engaging in activities as a 14 financial institution organized, chartered, or holding a license or authorization 15 certificate under the laws of this state, another state, the United States, or 16 another country; 17 (B) "possesses" includes possession for the purpose of 18 destruction; 19 (2) "dispose" means 20 (A) the discarding or abandonment of records containing 21 personal information; 22 (B) the sale, donation, discarding, or transfer of 23 (i) any medium, including computer equipment or 24 computer media, that contains records of personal information; 25 (ii) nonpaper media, other than that identified under (i) 26 of this subparagraph, on which records of personal information are 27 stored; and 28 (iii) equipment for nonpaper storage of information; 29 (3) "governmental agency" means a state or local governmental 30 agency, except for an agency of the judicial branch; 31 (4) "personal information" means information that identifies, relates to, 01 describes, or is capable of being associated with a particular individual, and includes a 02 name, signature, social security number, fingerprint, photograph, computerized image, 03 physical characteristic, physical description, address, telephone number, passport 04 number, driver's license, state identification number, date of birth, medical 05 information, bank account number, credit card number, debit card number, and 06 financial information; 07 (5) "records" means material on which information that is written, 08 drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of 09 physical form or characteristics, but does not include publicly available directories 10 containing names, addresses, telephone numbers, or other information an individual 11 has voluntarily consented to have publicly disseminated or listed. 12 Article 6. Factual Declaration of Innocence after Identity Theft; Right to File Police  13 Report Regarding Identity Theft.  14 Sec. 45.48.600. Factual declaration of innocence after identity theft. (a) A 15 victim of identity theft may petition the superior court for a determination that the 16 victim is factually innocent of a crime if 17 (1) the perpetrator of the identity theft was arrested for, cited for, or 18 convicted of the crime using the victim's identity; 19 (2) a criminal complaint has been filed against the perpetrator in the 20 victim's name; or 21 (3) the victim's identity has been mistakenly associated with a record 22 of a conviction for a crime. 23 (b) In addition to a petition by a victim under (a) of this section, the 24 department may petition the superior court for a determination under (a) of this 25 section, or the superior court may, on its own motion, make a determination under (a) 26 of this section. 27 Sec. 45.48.610. Basis for determination. A determination of factual 28 innocence under AS 45.48.600 may be heard and made on declarations, affidavits, 29 police reports, or other material, relevant, and reliable information submitted by the 30 parties or ordered to be made a part of the record by the court. 31 Sec. 45.48.620. Criteria for determination; court order. (a) A court shall 01 determine that a victim is factually innocent of a crime if the court finds that the 02 petition or motion brought under AS 45.48.600 is meritorious and that 03 (1) there is not a reasonable cause to believe that the victim committed 04 the crime for which the perpetrator of the identity theft was arrested, cited, convicted, 05 or subject to a criminal complaint in the victim's name; or 06 (2) the victim's identity has been mistakenly associated with a record 07 of a conviction of a crime. 08 (b) If a court finds under this section that the victim is factually innocent of a 09 crime, the court shall issue an order indicating this determination of factual innocence 10 and shall provide the victim with a copy of the order. 11 Sec. 45.48.630. Orders regarding records. After a court issues an order under 12 AS 45.48.620, the court may order the name and associated personal information of 13 the victim that is contained in the files, indexes, and other records of the court that are 14 accessible by the public deleted, sealed, or labeled to show that the name and personal 15 information is impersonated and does not reflect the defendant's identity. 16 Sec. 45.48.640. Vacation of determination. A court that has issued an order 17 under AS 45.48.620 may, at any time, vacate the order if the petition or motion, or any 18 information submitted in support of the petition or motion, is found to contain a 19 material misrepresentation or fraudulent material. 20 Sec. 45.48.650. Court form. The supreme court of the state may develop a 21 form to be used for the order under AS 45.48.620. 22 Sec. 45.48.660. Data base. The department may establish and maintain a data 23 base of individuals who have been victims of identity theft and who have received an 24 order under AS 45.48.620. The department shall provide a victim or the victim's 25 authorized representative access to a data base established under this section in order 26 to establish that the individual has been a victim of identity theft. Access to the a data 27 base established under this section is limited to criminal justice agencies, victims of 28 identity theft, and individuals and agencies authorized by the victims. 29 Sec. 45.48.670. Toll-free telephone number. The department may establish 30 and maintain a toll-free telephone number to provide access to information in a data 31 base established under AS 45.48.660. 01 Sec. 45.48.680. Right to file police report regarding identity theft. (a) Even 02 if the local law enforcement agency does not have jurisdiction over the theft of an 03 individual's identity, if an individual who has learned or reasonably suspects the 04 individual has been the victim of identity theft contacts, for the purpose of filing a 05 complaint, a local law enforcement agency that has jurisdiction over the individual's 06 actual place of residence, the local law enforcement agency shall make a report of the 07 matter and provide the individual with a copy of the report. The local law enforcement 08 agency may refer the matter to a law enforcement agency in a different jurisdiction. 09 (b) This section is not intended to interfere with the discretion of a local law 10 enforcement agency to allocate its resources to the investigation of crime. A local law 11 enforcement agency is not required to count a complaint filed under (a) of this section 12 as an open case for purposes that include compiling statistics on its open cases. 13 Sec. 45.48.690. Definitions. In AS 45.48.600 - 45.48.690, 14 (1) "crime" has the meaning given in AS 11.81.900; 15 (2) "department" means the Department of Law; 16 (3) "identity theft" means the theft of the identity of an individual; 17 (4) "perpetrator" means the person who perpetrated the theft of an 18 individual's identity; 19 (5) "victim" means an individual who is the victim of identity theft. 20 Article 7. Consumer Credit Header Information.  21 Sec. 45.48.800. Consumer credit header information. (a) A consumer credit 22 reporting agency may not furnish by a written, an oral, or another method of 23 communication a consumer's credit header information to a person unless the person 24 has a permissible purpose under 15 U.S.C. 1681b (Fair Credit Protection Act) to 25 obtain the consumer's credit report. 26 (b) In this section, "credit header information" means the social security 27 number of a consumer, or a derivative of the social security number, the maiden name 28 of the mother of the consumer, the birth date of the consumer, and other personally 29 identifiable information of a consumer that is derived from nonpublic personal 30 information, except the name, address, and telephone number of the consumer listed in 31 a residential telephone directory available in the locality of the consumer. 01 Article 8. Truncation of Card Information. 02 Sec. 45.48.850. Truncation of card information. (a) A person who accepts 03 credit cards or debit cards for the transaction of business may not print more than the 04 last five digits of the card number or the expiration date on any receipt provided to the 05 cardholder at the point of the sale or transaction. 06 (b) This section applies only to receipts that are electronically printed and does 07 not apply to transactions in which the sole means of recording a credit card or debit 08 card account number is by handwriting or by an imprint or copy of the card. 09 (c) An individual may bring a civil action in court against a person who 10 knowingly violates this section and may recover actual damages or $5,000, whichever 11 is greater, and court costs and attorney fees allowed by the rules of court. 12 (d) A person who knowingly violates this section is liable to the state for a 13 civil penalty not to exceed $3,000. 14 (e) A person who knowingly violates this section is guilty of a class A 15 misdemeanor. 16 (f) In this section, 17 (1) "credit" means the right granted by a creditor to a debtor to defer 18 payment of debt, to incur debts and defer payment of the debt, or to purchase property 19 or services and defer payment of the purchase;in this paragraph, "creditor" means a 20 person who regularly extends, renews, or continues credit, a person who regularly 21 arranges for the extension, renewal, or continuation of credit, or an assignee of an 22 original creditor who participates in the decision to extend, renew, or continue credit; 23 (2) "credit card" means a card, plate, coupon book, or other credit 24 device existing for the purpose of obtaining money, property, labor, or services on 25 credit; 26 (3) "debit card" means a card issued by a financial institution to a 27 consumer for use in initiating an electronic fund transfer from the account of the 28 consumer at the financial institution for the purpose of transferring money between 29 accounts or obtaining money, property, labor, or services; 30 (4) "knowingly" has the meaning given in AS 11.81.900. 31 Article 9. General Provisions.  01 Sec. 45.48.900. Relationship to federal law. If a provision of this chapter is 02 preempted by federal law in a particular situation, the provision does not apply to the 03 extent of the preemption. 04 Sec. 45.48.990. Definitions. In this chapter, unless the context indicates 05 otherwise, 06 (1) "consumer" means an individual; 07 (2) "consumer credit reporting agency" means a person who, for 08 monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or 09 in part in the practice of assembling or evaluating consumer credit information or 10 other information on consumers for the purpose of furnishing credit reports to third 11 parties; 12 (3) "credit report" means a written, oral, or other communication of 13 information by a consumer credit reporting agency bearing on a consumer's credit 14 worthiness, credit standing, credit capacity, character, general reputation, personal 15 characteristics, or mode of living if the communication is used or expected to be used 16 or collected in whole or in part to serve as a factor in establishing the consumer's 17 eligibility for 18 (A) credit or insurance to be used primarily for personal, 19 family, or household purposes; 20 (B) employment purposes; or 21 (C) any other permissible purpose authorized under section 15 22 U.S.C. 1681b; 23 (4) "information system" means any information system, including a 24 system consisting of digital data bases and a system consisting of pieces of paper; 25 (5) "person" has the meaning given in AS 01.10.060 and includes a 26 state or local governmental agency, except for an agency of the judicial branch; 27 (6) "state resident" means an individual who satisfies the residency 28 requirements under AS 01.10.055. 29 Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal 30 Information Protection Act. 31  * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 01 read: 02 INDIRECT COURT RULE AMENDMENT. AS 45.48.640, enacted by sec. 1 of this 03 Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing a 04 court to vacate an order on its own motion and at any time and by establishing a specific 05 criterion for vacating the order under AS 45.48.640. 06  * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 07 read: 08 TRANSITION: IMPLEMENTATION. A person to whom AS 45.48.400, 45.48.410, 09 45.48.415, or 45.48.420, enacted by sec. 1 of this Act, applies shall make reasonable efforts to 10 cooperate, through systems testing and other means, to ensure that the requirements of 11 AS 45.48.400, 45.48.410, 45.48.415, and 45.48.420 that apply to the person are implemented 12 on or before the effective date of AS 45.48.400, 45.48.410, 45.48.415, and 45.48.420. In this 13 section, "person" has the meaning given in AS 45.48.990, but also includes an agency of the 14 judicial branch.