Alaska State Legislature

Home
Bill & Laws
Bills
CSHB 226(L&C) Detail
FullText

txt

CSHB 226(L&C): "An Act relating to breaches of security involving personal information; and relating to credit report security freezes."

00 CS FOR HOUSE BILL NO. 226(L&C) 01 "An Act relating to breaches of security involving personal information; and relating to 02 credit report security freezes." 03 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 04 * Section 1. AS 45 is amended by adding a new chapter to read: 05 Chapter 48. Information Security. 06 Article 1. Breach of Security Involving Personal Information. 07 Sec. 45.48.010. Disclosure of breach of security. (a) If a business or 08 governmental entity engages in activities in the state and uses an information system 09 that includes personal information, and a breach of the security of the system occurs, 10 the business or governmental entity shall, after discovering the breach, disclose the 11 breach to each state resident whose personal information, if unencrypted, was, or is 12 reasonably believed to have been, acquired by an unauthorized person due to the 13 breach. 14 (b) A business or governmental entity shall make the disclosure required by

01 (a) of this section in the most expedient time possible and without unreasonable delay, 02 except as provided in AS 45.48.020 and 45.48.040 and as necessary to determine the 03 scope of the breach and restore the reasonable integrity of the information system. 04 (c) In this section, "activities in the state" means activities that provide at least 05 the minimum contacts required by substantive due process for the state to exercise 06 jurisdiction over the business or governmental entity who is engaging in the activities. 07 Sec. 45.48.020. Notification of law enforcement. A business or 08 governmental entity may delay making the disclosures required by AS 45.48.010 if the 09 Department of Law determines that the disclosures would compromise an 10 investigation by the Department of Law. 11 Sec. 45.48.030. Methods of notice. A business or governmental entity shall 12 make the disclosures required by AS 45.48.010 13 (1) by a written document that is personally delivered or mailed; 14 (2) by electronic means, if the electronic means is allowed under 15 15 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or 16 (3) if the business or governmental entity demonstrates that the cost of 17 providing notice would exceed $250,000, that the affected class of individuals to be 18 notified exceeds 500,000, or that the business or governmental entity does not have 19 sufficient contact information to provide notice, by 20 (A) electronic mail if the business or governmental entity has 21 an electronic mail address for the individual; 22 (B) conspicuously posting the disclosure on the Internet 23 website of the business or governmental entity, if the business or governmental 24 entity maintains an Internet website; and 25 (C) providing a notice to major statewide media. 26 Sec. 45.48.040. Exception for disclosure policy. If the business or 27 governmental entity described in AS 45.48.010 maintains disclosure procedures as 28 part of an information security policy for the treatment of personal information, and 29 the timing of disclosures under the policy is consistent with AS 45.48.010(b), the 30 business or governmental entity may make the disclosure required by AS 45.48.010(a) 31 under the disclosure procedures maintained by the business or governmental entity.

01 Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 - 02 45.48.090, the good faith acquisition of personal information by an employee or agent 03 of the business or governmental entity described in AS 45.48.010 for the purposes of 04 the activities of the business or governmental entity is not a breach of the security of 05 the information system, if the employee or agent does not use the personal information 06 for a purpose unrelated to the activities of the business or governmental entity and 07 does not make further unauthorized disclosure of the personal information. 08 Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 09 unenforceable. 10 Sec. 45.48.070. Violations. (a) If a business or governmental entity violates 11 AS 45.48.010 - 45.48.090, an individual may bring a civil action in court to 12 (1) recover the damages suffered by the individual; 13 (2) enjoin the business or governmental entity from further violations 14 of AS 45.48.010 - 45.48.090. 15 (b) If a business or governmental entity violates or proposes to violate 16 AS 45.48.010 - 45.48.090, the state may bring a civil action in court to enjoin the 17 business or governmental entity from violating or continuing to violate AS 45.48.010 - 18 45.48.090. 19 (c) The rights and remedies available under this section are in addition to any 20 other rights and remedies available under another law. 21 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 22 (1) "breach of the security" means unauthorized acquisition of 23 information that compromises the security, confidentiality, or integrity of personal 24 information maintained by the business or governmental entity; 25 (2) "governmental entity" means a state or local governmental body, 26 subdivision, or agency, except for an agency of a judicial branch of state government; 27 (3) "state resident" means an individual who satisfies the residency 28 requirements under AS 01.10.055. 29 Article 2. Credit Report Security Freezes. 30 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 31 credit reporting agency from releasing all or a part of a consumer's credit report or

01 information derived from the credit report without the express authorization of the 02 consumer by placing a security freeze on the consumer's credit report. 03 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, 04 a consumer shall 05 (1) make the request to the credit reporting agency by certified mail; 06 and 07 (2) provide the credit reporting agency with proper identification. 08 (b) A credit reporting agency shall place a security freeze within five business 09 days after receiving a request under (a) of this section. 10 Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business 11 days after a consumer makes the request under AS 45.48.110, a credit reporting 12 agency shall send a written confirmation of the placement of the security freeze to the 13 consumer. 14 (b) At the same time that the credit reporting agency sends a confirmation 15 under (a) of this section, the credit reporting agency shall provide the consumer with a 16 unique personal identification number or password to be used by the consumer when 17 the consumer authorizes the release under AS 45.48.130 of the consumer's credit 18 report or information derived from the report. 19 Sec. 45.48.130. Access and actions during security freeze. (a) While a 20 security freeze is in place, a credit reporting agency shall allow a third party access to 21 a consumer's credit report or information derived from the credit report if the 22 consumer requests that the credit reporting agency allow the access. 23 (b) To make a request under (a) of this section, the consumer shall contact the 24 credit reporting agency, authorize the credit reporting agency to allow the access, and 25 provide the credit reporting agency with 26 (1) proper identification; 27 (2) the unique personal identification number or password provided 28 under AS 45.48.120(b); and 29 (3) the proper information necessary to identify the third party to 30 whom the credit reporting agency may allow the access or the time period during 31 which the credit reporting agency may allow the access to third parties who request

01 the access. 02 (c) A consumer reporting agency that receives a request from a consumer 03 under (b) of this section shall comply with the request within three business days after 04 receiving the request. 05 (d) A credit reporting agency may develop procedures involving the use of 06 telephone, facsimile, or, if the consumer consents under 15 U.S.C. 7001 (Electronic 07 Signatures in Global and National Commerce Act), the Internet or other electronic 08 media to receive and process a request from a consumer under (a) of this section in an 09 expedited manner. 10 (e) If a security freeze is in place, a credit reporting agency may not release 11 the credit report or information derived from the credit report to a third party without 12 the prior express authorization of the consumer. 13 (f) If a security freeze is in place, if a third party applies to a credit reporting 14 agency to provide the third party with access to the consumer's credit report or 15 information derived from the credit report, and if the consumer does not allow access 16 for that specific party or during that specific period of time, the credit reporting agency 17 may treat the third party's application as incomplete. 18 (g) A credit reporting agency shall notify a consumer that a third party has 19 attempted to access the consumer's credit report or information derived from the report 20 if a third party requests a credit reporting agency to provide the third party with access 21 to the credit report or information, a security freeze has been placed, and the purpose 22 of the access is not for the sole purpose of account review. 23 (h) This section is not intended to prevent a credit reporting agency from 24 advising a third party who requests access to a consumer's credit report or information 25 derived from the credit report that a security freeze is in effect. 26 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 27 AS 45.48.130, a credit reporting agency may not remove a security freeze unless 28 (1) the consumer requests that the credit reporting agency remove the 29 security freeze under (b) of this section; or 30 (2) the consumer made a material misrepresentation of fact to the 31 credit reporting agency when the consumer requested the security freeze under

01 AS 45.48.110; if a credit reporting agency intends to remove a security freeze on a 02 consumer's credit report under this paragraph, the credit reporting agency shall notify 03 the consumer in writing before removing the security freeze. 04 (b) A credit reporting agency shall remove a security freeze placed under 05 (a)(1) of this section within three business days after receiving a request for removal 06 from the consumer who requested the security freeze if the consumer provides proper 07 identification to identify the consumer and the unique personal identification number 08 or password provided by the consumer reporting agency under AS 45.48.120. 09 Sec. 45.48.150. Disclosure of process. If a consumer requests a security 10 freeze under AS 45.48.100, the credit reporting agency shall disclose to the consumer 11 the process under AS 45.48.100 - 45.48.290 of placing a security freeze, allowing 12 access to a third party during a security freeze, and allowing access during a specific 13 period of time during a security freeze. 14 Sec. 45.48.160. Charges. (a) A credit reporting agency may not charge a 15 consumer more than 16 (1) $10 for each time that the consumer places a security freeze under 17 AS 45.48.100, removes a freeze under AS 45.48.140, or allows access for a specific 18 period of time during a security freeze under AS 45.48.130; or 19 (2) $12 for each time that the consumer allows access for a specific 20 person during a security freeze under AS 45.48.130. 21 (b) Notwithstanding (a) of this section, a credit reporting agency may not 22 charge a consumer a fee for placing a security freeze under AS 45.48.100, removing a 23 freeze under AS 45.48.140, or allowing access for a specific person or period of time 24 during a security freeze under AS 45.48.130, if the consumer provides the credit 25 reporting agency with a good faith and valid report made by the consumer to a law 26 enforcement agency that alleges that a piece of personal property containing personal 27 information of the consumer has been stolen. 28 Sec. 45.48.170. Additional identification information. A credit reporting 29 agency may require additional information about the consumer's employment, 30 personal history, and family history in order to verify the consumer's identity only if 31 the consumer is unable to reasonably identify the consumer with proper identification.

01 Sec. 45.48.180. Duties during security freeze. (a) If a security freeze is in 02 place, a credit reporting agency may not change a consumer's name, date of birth, 03 social security number, or address in the consumer's credit report without sending a 04 written confirmation of the change to the consumer within 30 days after the change is 05 posted to the consumer's file. 06 (b) Written confirmation under (a) of this section is not required for a 07 technical modification of a consumer's name, date of birth, social security number, or 08 address, including making or expanding abbreviations, correcting spellings, or 09 correcting transposed numbers or letters. 10 (c) In the case of an address change under (a) of this section, the written 11 confirmation shall be sent to both the new address and the former address. 12 Sec. 45.48.190. Violationsand remedies. (a) A consumer who suffers 13 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an 14 action in court against the person and recover, in the case of a violation where the 15 person acted 16 (1) negligently, actual damages, including loss of wages, and, when 17 applicable, damages for pain and suffering; 18 (2) knowingly, 19 (A) damages as described in (1) of this subsection; 20 (B) punitive damages that are not less than $100 nor more than 21 $5,000 for each violation as the court determines to be appropriate; and 22 (C) other relief that the court determines to be appropriate. 23 (b) A consumer may bring an action in court against a person for a violation or 24 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 25 not the consumer seeks another remedy under this section. 26 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 27 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 28 allows. When determining the amount of an award in a class action under this 29 subsection, the court shall consider, among the relevant factors, the amount of any 30 actual damages awarded, the frequency of the violations, the resources of the violator, 31 and the number of consumers adversely affected.

01 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 02 Sec. 45.48.270. Reports not covered. The provisions of AS 45.48.100 - 03 45.48.290 do not apply to a credit report if the credit report is 04 (1) a report that only contains information relating to transactions or 05 experiences between the consumer and the person making the report; 06 (2) a communication of the information that is described in (1) of this 07 section or that is taken from a credit application by a consumer, if 08 (A) the communication is limited to internal communication 09 within the organization of the person making the report or made to another 10 person who is owned by, or affiliated with, the person making the report; and 11 (B) the consumer is informed by a clear and conspicuous 12 written disclosure that the information contained in the credit application may 13 be communicated as allowed under (A) of this paragraph, except that, if a 14 credit application is taken by telephone, the consumer shall initially be 15 informed orally when the application is taken, and a clear and conspicuous 16 written disclosure shall be made to the consumer in the first written 17 communication to the consumer after the application is taken; 18 (3) an authorization or approval of a specific extension of credit 19 directly or indirectly by the issuer of a credit card or similar device; 20 (4) a report that conveys a person's decision whether to make a specific 21 extension of credit directly or indirectly to a consumer in response to a request by a 22 third party if the third party advises the consumer of the name and address of the 23 person to whom the request was made; 24 (5) a report containing information solely about a consumer's 25 character, general reputation, personal characteristics, or mode of living and the 26 information is obtained through personal interviews with neighbors, friends, or 27 associates of the consumer reported on, or others with whom the consumer is 28 acquainted or who may have knowledge concerning those items of information; or 29 (6) a consumer credit report furnished for use in connection with a 30 transaction that consists of an extension of credit to be used solely for a commercial 31 purpose.

01 Sec. 45.48.280. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290 02 do not apply to the use of a credit report by 03 (1) a person, if the purpose of the person's use is account review or 04 collection of a financial obligation owing for an account, contract, or negotiable 05 instrument, and the consumer 06 (A) has, or had before an assignment of the account or contract 07 by the person, an account or contract with the person, including a demand 08 deposit account; or 09 (B) issued a negotiable instrument to the person; 10 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 11 assignee of a person to whom access has been granted under AS 45.48.130 if the 12 purpose of the use is to facilitate the extension of credit or another permissible use; 13 (3) when acting under a court order, warrant, or subpoena, a state 14 agency, an agency of a political subdivision of the state, a law enforcement agency, a 15 court, or a private debt collection agency; 16 (4) an agency of a state or municipality that administers a program for 17 establishing and enforcing child support obligations; 18 (5) the Department of Health and Social Services, its agents, or its 19 assigns when investigating fraud; 20 (6) the Department of Revenue, its agents, or its assigns when 21 investigating or collecting delinquent taxes or unpaid court orders or when 22 implementing its other statutory responsibilities; 23 (7) a person if the purpose of the use is prescreening allowed under 15 24 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 25 (8) a person administering a credit file monitoring subscription service 26 to which the consumer has subscribed; 27 (9) a person providing a consumer with a copy of the consumer's credit 28 report at the consumer's request. 29 (b) In (a)(1) of this section, "person" includes the person's subsidiary, affiliate, 30 or agent, an assignee of a financial obligation owed by the consumer to the person, or 31 a prospective assignee of a financial obligation owed by the consumer to the person

01 when in conjunction with the proposed purchase of the financial obligation. 02 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 03 (1) "account review" includes activities related to account 04 maintenance, account monitoring, account credit line increases, and account upgrades 05 and enhancements; 06 (2) "affiliate" meansa corporation that directly, orindirectly through 07 one or more intermediaries, controls, is controlled by, or is under common control 08 with another corporation; in this paragraph, control" means the possession, direct or 09 indirect, of the power to direct or cause the direction of the management and policies 10 of a corporation; 11 (3) "consumer" means an individual; 12 (4) "credit report" means a written, oral, or other communication of 13 information by a credit reporting agency bearing on a consumer's credit worthiness, 14 credit standing, or credit capacity if the communication is used or expected to be used, 15 or collected in whole or in part, to serve as a factor in establishing the consumer's 16 eligibility for 17 (A) credit to be used primarily for personal, family, or 18 household purposes; 19 (B) employment purposes; 20 (C) the rental of a dwelling unit; or 21 (D) any other purpose authorized under section 15 U.S.C. 22 1681b; 23 (5) "credit reporting agency" means a person who, for monetary fees, 24 dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the 25 business of assembling or evaluating consumer credit information or other information 26 on consumers for the purpose of furnishing credit reports to third parties, and these 27 activities provide at least the minimum contacts required by substantive due process 28 for the state to exercise jurisdiction over the person who is engaging in the activities; 29 "credit reporting agency" does not include a governmental agency whose records are 30 maintained primarily for traffic safety, law enforcement, or licensing purposes; 31 (6) "employment purposes" means, when used in connection with a

01 consumer credit report, a report used for the purpose of evaluating a consumer for 02 employment, promotion, reassignment, or retention as an employee; 03 (7) "file" means, when used in connection with information on a 04 consumer, all of the information on that consumer recorded and retained by a credit 05 reporting agency, regardless of how the information is stored; 06 (8) "permissible use" means a permissible use under 15 U.S.C. 1681b; 07 (9) "person" has the meaning given in AS 01.10.060 and includes a 08 governmental body, a governmental subdivision, or a governmental agency; 09 (10) "proper identification" means the information generally 10 considered sufficient to identify a person; 11 (11) "security freeze" means a prohibition against a credit reporting 12 agency from releasing all or a part of a consumer's credit report or information derived 13 from the credit report without the express authorization of the consumer. 14 Article 3. General Provisions. 15 Sec. 45.48.300. Relationship to federal law. If a provision of this chapter is 16 preempted by or conflicts with federal law in a particular situation, the provision does 17 not apply to the extent of the preemption or conflict. 18 Sec. 45.48.390. Definitions. In this chapter, "personal information" means 19 information that is not publicly available information lawfully made available to the 20 general public from federal, state, or local government records; and consists of 21 (A) a combination of an individual's first name or first initial, 22 the individual's last name, and one or more of the following information 23 elements, when the name or the information elements are not encrypted or 24 redacted: 25 (i) the individual's social security number; 26 (ii) the number of the individual's driver's license or 27 state identification card; 28 (iii) the individual's account number, credit card 29 account number, or debit card account number, if circumstances exist 30 where the number could be used without additional identifying 31 information, access codes, or passwords;

01 (iv) account passwords or personal identification 02 numbers or other access codes; or 03 (B) an information element listed in (A)(i) - (iv) of this 04 paragraph if the item would be sufficient to engage in or attempt to engage in 05 the theft of the individual's identity.