Alaska State Legislature

Home
Bill & Laws
Bills
CSHB 226(JUD) Detail
FullText

txt

CSHB 226(JUD): "An Act relating to breaches of security involving personal information; relating to credit report security freezes; and relating to filing police reports regarding identity theft."

00 CS FOR HOUSE BILL NO. 226(JUD) 01 "An Act relating to breaches of security involving personal information; relating to 02 credit report security freezes; and relating to filing police reports regarding identity 03 theft." 04 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 05 * Section 1. AS 45 is amended by adding a new chapter to read: 06 Chapter 48. Information Security. 07 Article 1. Breach of Security Involving Personal Information. 08 Sec. 45.48.010. Disclosure of breach of security. (a) If a business or 09 governmental entity engages in activities in the state and uses an information system 10 that includes personal information, and a breach of the security of the system occurs, 11 the business or governmental entity shall, after discovering the breach, disclose the 12 breach to each state resident whose personal information, if unencrypted, was, or is 13 reasonably believed to have been, acquired by an unauthorized person for a purpose 14 not authorized by the state resident.

01 (b) A business or governmental entity shall make the disclosure required by 02 (a) of this section in the most expedient time possible and without unreasonable delay, 03 except as provided in AS 45.48.020 and 45.48.040 and as necessary to determine the 04 scope of the breach and restore the reasonable integrity of the information system. 05 (c) In this section, "activities in the state" means activities that provide at least 06 the minimum contacts required by substantive due process for the state to exercise 07 jurisdiction over the business or governmental entity who is engaging in the activities. 08 Sec. 45.48.020. Allowable delay in notification. Notice of the breach may be 09 delayed if an appropriate law enforcement agency determines that notification will 10 interfere with a criminal investigation and provides the business or governmental 11 entity with a written request for the delay. As soon as the investigation is complete, the 12 investigating law enforcement agency shall notify the business or governmental entity 13 when notification will no longer interfere with the investigation. The business or 14 governmental entity shall then notify the state resident. 15 Sec. 45.48.030. Methods of notice. A business or governmental entity shall 16 make the disclosures required by AS 45.48.010 17 (1) by a written document that is personally delivered or mailed; 18 (2) by electronic means, if the electronic means is allowed under 15 19 U.S.C. 7001 et seq. (Electronic Signatures in Global and National Commerce Act); or 20 (3) if the business or governmental entity demonstrates that the cost of 21 providing notice would exceed $250,000, or that the affected class of individuals to be 22 notified exceeds 500,000, or that the business or governmental entity does not have 23 sufficient contact information to provide notice, by 24 (A) electronic mail if the business or governmental entity has 25 an electronic mail address for the individual; 26 (B) conspicuously posting the disclosure on the Internet 27 website of the business or governmental entity, if the business or governmental 28 entity maintains an Internet website; and 29 (C) providing a notice to major statewide media. 30 Sec. 45.48.040. Exception for disclosure policy. If the business or 31 governmental entity described in AS 45.48.010 maintains disclosure procedures as

01 part of an information security policy for the treatment of personal information, and 02 the timing of disclosures under the policy is consistent with AS 45.48.010(b), the 03 business or governmental entity may make the disclosure required by AS 45.48.010(a) 04 under the disclosure procedures maintained by the business or governmental entity. 05 Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 - 06 45.48.090, the good faith acquisition of personal information by an employee or agent 07 of the business or governmental entity described in AS 45.48.010 for the purposes of 08 the activities of the business or governmental entity is not a breach of the security of 09 the information system, if the personal information is not used or subject to further 10 unauthorized disclosure. 11 Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 12 unenforceable. 13 Sec. 45.48.070. Violations. (a) If a business or governmental entity violates 14 AS 45.48.010 - 45.48.090, an individual may bring a civil action in court to 15 (1) recover the damages suffered by the individual; 16 (2) enjoin the business or governmental entity from further violations 17 of AS 45.48.010 - 45.48.090. 18 (b) If a business or governmental entity violates or proposes to violate 19 AS 45.48.010 - 45.48.090, the state may bring a civil action in court to enjoin the 20 business or governmental entity from violating or continuing to violate AS 45.48.010 - 21 45.48.090. 22 (c) The rights and remedies available under this section are in addition to any 23 other rights and remedies available under another law. 24 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 25 (1) "breach of the security" means unauthorized acquisition of 26 information that compromises the security, confidentiality, or integrity of personal 27 information maintained by the business or governmental entity; 28 (2) "governmental entity" means a state or local governmental body, 29 subdivision, or agency, except for an agency of a judicial branch of state government; 30 (3) "state resident" means an individual who satisfies the residency 31 requirements under AS 01.10.055.

01 Article 2. Credit Report Security Freezes. 02 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a credit 03 reporting agency from releasing all or a part of a consumer's credit report or 04 information derived from the credit report without the express authorization of the 05 consumer by placing a security freeze on the consumer's credit report. 06 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a 07 consumer shall 08 (1) make the request to the credit reporting agency by certified mail; 09 and 10 (2) provide the credit reporting agency with proper identification. 11 (b) A credit reporting agency shall place a security freeze within five business 12 days after receiving a request under (a) of this section. 13 Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business days 14 after a consumer makes the request under AS 45.48.110, a credit reporting agency 15 shall send a written confirmation of the placement of the security freeze to the 16 consumer. 17 (b) At the same time that the credit reporting agency sends a confirmation 18 under (a) of this section, the credit reporting agency shall provide the consumer with a 19 unique personal identification number or password to be used by the consumer when 20 the consumer authorizes the release under AS 45.48.130 of the consumer's credit 21 report or information derived from the report. 22 Sec. 45.48.130. Access and actions during security freeze. (a) While a 23 security freeze is in place, a credit reporting agency shall allow a third party access to 24 a consumer's credit report or information derived from the credit report if the 25 consumer requests that the credit reporting agency allow the access. 26 (b) To make a request under (a) of this section, the consumer shall contact the 27 credit reporting agency, authorize the credit reporting agency to allow the access, and 28 provide the credit reporting agency with 29 (1) proper identification; 30 (2) the unique personal identification number or password provided 31 under AS 45.48.120(b); and

01 (3) the proper information necessary to identify the third party to 02 whom the credit reporting agency may allow the access or the time period during 03 which the credit reporting agency may allow the access to third parties who request 04 the access. 05 (c) A credit reporting agency that receives a request from a consumer under 06 (b) of this section shall comply with the request within three business days after 07 receiving the request. 08 (d) A credit reporting agency may develop procedures involving the use of 09 telephone, facsimile, or, if the consumer consents under 15 U.S.C. 7001 (Electronic 10 Signatures in Global and National Commerce Act), the Internet or other electronic 11 media to receive and process a request from a consumer under (a) of this section in an 12 expedited manner. 13 (e) If a security freeze is in place, a credit reporting agency may not release 14 the credit report or information derived from the credit report to a third party without 15 the prior express authorization of the consumer. 16 (f) If a security freeze is in place, if a third party applies to a credit reporting 17 agency to provide the third party with access to the consumer's credit report or 18 information derived from the credit report, and if the consumer does not allow access 19 for that specific party or during that specific period of time, the credit reporting agency 20 may treat the third party's application as incomplete. 21 (g) A credit reporting agency shall notify a consumer that a third party has 22 attempted to access the consumer's credit report or information derived from the report 23 if a third party requests a credit reporting agency to provide the third party with access 24 to the credit report or information, a security freeze has been placed, and the purpose 25 of the access is not for the sole purpose of account review. 26 (h) This section is not intended to prevent a credit reporting agency from 27 advising a third party who requests access to a consumer's credit report or information 28 derived from the credit report that a security freeze is in effect. 29 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 30 AS 45.48.130, a credit reporting agency may not remove a security freeze unless 31 (1) the consumer requests that the credit reporting agency remove the

01 security freeze under (b) of this section; or 02 (2) the consumer made a material misrepresentation of fact to the 03 credit reporting agency when the consumer requested the security freeze under 04 AS 45.48.110; if a credit reporting agency intends to remove a security freeze on a 05 consumer's credit report under this paragraph, the credit reporting agency shall notify 06 the consumer in writing before removing the security freeze. 07 (b) A credit reporting agency shall remove a security freeze placed under 08 (a)(1) of this section within three business days after receiving a request for removal 09 from the consumer who requested the security freeze if the consumer provides proper 10 identification to identify the consumer and the unique personal identification number 11 or password provided by the consumer reporting agency under AS 45.48.120. 12 Sec. 45.48.150. Disclosure of process. If a consumer requests a security freeze 13 under AS 45.48.100, the credit reporting agency shall disclose to the consumer the 14 process under AS 45.48.100 - 45.48.290 of placing a security freeze, allowing access 15 to a third party during a security freeze, and allowing access during a specific period 16 of time during a security freeze. 17 Sec. 45.48.160. Prohibition. When dealing with a third party, a credit 18 reporting agency may not suggest, state, or imply that a consumer's security freeze 19 reflects a negative credit score, history, report, or rating. 20 Sec. 45.48.170. Charges. (a) A credit reporting agency may not charge a 21 consumer more than 22 (1) $3 for the first time that the consumer places a security freeze in a 23 five-year period under AS 45.48.100; 24 (2) $10 for each time that the consumer 25 (A) places a security freeze under AS 45.48.100 subsequent to 26 placing a security freeze under (1) of this subsection during the five-year 27 period following the placement of the freeze under (1) of this subsection; 28 (B) removes a freeze under AS 45.48.140; or 29 (C) allows access for a specific period of time during a security 30 freeze under AS 45.48.130; or 31 (3) $12 for each time that the consumer allows access for a specific

01 person during a security freeze under AS 45.48.130. 02 (b) Notwithstanding (a) of this section, a credit reporting agency may not 03 charge a consumer a fee for placing a security freeze under AS 45.48.100, removing a 04 freeze under AS 45.48.140, or allowing access for a specific person or period of time 05 during a security freeze under AS 45.48.130, if the consumer provides the credit 06 reporting agency with a good faith and valid report made by the consumer to a law 07 enforcement agency that alleges that a piece of personal property containing personal 08 information of the consumer has been stolen. 09 Sec. 45.48.180. Additional identification information. A credit reporting 10 agency may require additional information about the consumer's employment, 11 personal history, and family history in order to verify the consumer's identity only if 12 the consumer is unable to reasonably identify the consumer with proper identification. 13 Sec. 45.48.190. Duties during security freeze. (a) If a security freeze is in 14 place, a credit reporting agency may not change a consumer's name, date of birth, 15 social security number, or address in the consumer's credit report without sending a 16 written confirmation of the change to the consumer within 30 days after the change is 17 posted to the consumer's file. 18 (b) Written confirmation under (a) of this section is not required for a 19 technical modification of a consumer's name, date of birth, social security number, or 20 address, including making or expanding abbreviations, correcting spellings, or 21 correcting transposed numbers or letters. 22 (c) In the case of an address change under (a) of this section, the written 23 confirmation shall be sent to both the new address and the former address. 24 Sec. 45.48.200. Notification after violation. If a credit reporting agency 25 violates a security freeze by releasing a consumer's credit report or information 26 derived from the credit report, the credit reporting agency shall notify the consumer 27 within five business days after the release, and the information in the notice must 28 include an identification of the information released and of the third party who 29 received the information. 30 Sec. 45.48.210. Violationsand remedies. (a) A consumer who suffers 31 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an

01 action in court against the person and recover, in the case of a violation where the 02 person acted 03 (1) negligently, actual damages, including loss of wages, and, when 04 applicable, damages for pain and suffering; 05 (2) knowingly, 06 (A) damages as described in (1) of this subsection; 07 (B) punitive damages that are not less than $100 nor more than 08 $5,000 for each violation as the court determines to be appropriate; and 09 (C) other relief that the court determines to be appropriate. 10 (b) A consumer may bring an action in court against a person for a violation or 11 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 12 not the consumer seeks another remedy under this section. 13 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 14 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 15 allows. When determining the amount of an award in a class action under this 16 subsection, the court shall consider, among the relevant factors, the amount of any 17 actual damages awarded, the frequency of the violations, the resources of the violator, 18 and the number of consumers adversely affected. 19 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 20 Sec. 45.48.270. Reports not covered. The provisions of AS 45.48.100 - 21 45.48.290 do not apply to a credit report if the credit report is 22 (1) a report that only contains information relating to transactions or 23 experiences between the consumer and the person making the report; 24 (2) a communication of the information that is described in (1) of this 25 section or that is taken from a credit application by a consumer, if 26 (A) the communication is limited to internal communication 27 within the organization of the person making the report or made to another 28 person who is owned by, or affiliated with, the person making the report; and 29 (B) the consumer is informed by a clear and conspicuous 30 written disclosure that the information contained in the credit application may 31 be communicated as allowed under (A) of this paragraph, except that, if a

01 credit application is taken by telephone, the consumer shall initially be 02 informed orally when the application is taken, and a clear and conspicuous 03 written disclosure shall be made to the consumer in the first written 04 communication to the consumer after the application is taken; 05 (3) an authorization or approval of a specific extension of credit 06 directly or indirectly by the issuer of a credit card or similar device; 07 (4) a report that conveys a person's decision whether to make a specific 08 extension of credit directly or indirectly to a consumer in response to a request by a 09 third party if the third party advises the consumer of the name and address of the 10 person to whom the request was made; 11 (5) a report containing information solely about a consumer's 12 character, general reputation, personal characteristics, or mode of living and the 13 information is obtained through personal interviews with neighbors, friends, or 14 associates of the consumer reported on, or others with whom the consumer is 15 acquainted or who may have knowledge concerning those items of information; or 16 (6) a consumer credit report furnished for use in connection with a 17 transaction that consists of an extension of credit to be used solely for a commercial 18 purpose. 19 Sec. 45.48.280. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290 20 do not apply to the use of a credit report by 21 (1) a person, if the purpose of the person's use is account review or 22 collection of a financial obligation owing for an account, contract, or negotiable 23 instrument, and the consumer 24 (A) has, or had before an assignment of the account or contract 25 by the person, an account or contract with the person, including a demand 26 deposit account; or 27 (B) issued a negotiable instrument to the person; 28 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 29 assignee of a person to whom access has been granted under AS 45.48.130 if the 30 purpose of the use is to facilitate the extension of credit or another permissible use; 31 (3) when acting under a court order, warrant, or subpoena, a state

01 agency, an agency of a political subdivision of the state, a law enforcement agency, a 02 court, or a private debt collection agency; 03 (4) an agency of a state or municipality that administers a program for 04 establishing and enforcing child support obligations; 05 (5) the Department of Health and Social Services, its agents, or its 06 assigns when investigating fraud; 07 (6) the Department of Revenue, its agents, or its assigns when 08 investigating or collecting delinquent taxes or unpaid court orders or when 09 implementing its other statutory responsibilities; 10 (7) a person if the purpose of the use is prescreening allowed under 15 11 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 12 (8) a person administering a credit file monitoring subscription service 13 to which the consumer has subscribed; 14 (9) a person providing a consumer with a copy of the consumer's credit 15 report at the consumer's request. 16 (b) In (a)(1) of this section, "person" includes the person's subsidiary, affiliate, 17 or agent, an assignee of a financial obligation owed by the consumer to the person, or 18 a prospective assignee of a financial obligation owed by the consumer to the person 19 when in conjunction with the proposed purchase of the financial obligation. 20 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 21 (1) "account review" includes activities related to account 22 maintenance, account monitoring, account credit line increases, and account upgrades 23 and enhancements; 24 (2) "affiliate" meansa corporation that directly, orindirectly through 25 one or more intermediaries, controls, is controlled by, or is under common control 26 with another corporation; in this paragraph, control" means the possession, direct or 27 indirect, of the power to direct or cause the direction of the management and policies 28 of a corporation; 29 (3) "consumer" means an individual; 30 (4) "credit report" means a written, oral, or other communication of 31 information by a credit reporting agency bearing on a consumer's credit worthiness,

01 credit standing, or credit capacity if the communication is used or expected to be used, 02 or collected in whole or in part, to serve as a factor in establishing the consumer's 03 eligibility for 04 (A) credit to be used primarily for personal, family, or 05 household purposes; 06 (B) employment purposes; 07 (C) the rental of a dwelling unit; or 08 (D) any other purpose authorized under section 15 U.S.C. 09 1681b; 10 (5) "credit reporting agency" means a person who, for monetary fees, 11 dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the 12 business of assembling or evaluating consumer credit information or other information 13 on consumers for the purpose of furnishing credit reports to third parties, and these 14 activities provide at least the minimum contacts required by substantive due process 15 for the state to exercise jurisdiction over the person who is engaging in the activities; 16 "credit reporting agency" does not include a governmental agency whose records are 17 maintained primarily for traffic safety, law enforcement, or licensing purposes; 18 (6) "employment purposes" means, when used in connection with a 19 consumer credit report, a report used for the purpose of evaluating a consumer for 20 employment, promotion, reassignment, or retention as an employee; 21 (7) "file" means, when used in connection with information on a 22 consumer, all of the information on that consumer recorded and retained by a credit 23 reporting agency, regardless of how the information is stored; 24 (8) "permissible use" means a permissible use under 15 U.S.C. 1681b; 25 (9) "person" has the meaning given in AS 01.10.060 and includes a 26 governmental body, a governmental subdivision, or a governmental agency; 27 (10) "proper identification" means the information generally 28 considered sufficient to identify a person; 29 (11) "security freeze" means a prohibition against a credit reporting 30 agency from releasing all or a part of a consumer's credit report or information derived 31 from the credit report without the express authorization of the consumer.

01 Article 3. Right to File Police Report Regarding Identity Theft. 02 Sec. 45.48.300. Right to file police report regarding identity theft. (a) Even 03 if the local law enforcement agency does not have jurisdiction over the theft of an 04 individual's identity, if an individual who has learned or reasonably suspects the 05 individual has been the victim of identity theft contacts, for the purpose of filing a 06 complaint, a local law enforcement agency that has jurisdiction over the individual's 07 actual place of residence, the local law enforcement agency shall make a report of the 08 matter and provide the individual with a copy of the report. The local law enforcement 09 agency may refer the matter to a law enforcement agency in a different jurisdiction. 10 (b) This section is not intended to interfere with the discretion of a local law 11 enforcement agency to allocate its resources to the investigation of crime. A local law 12 enforcement agency is not required to count a complaint filed under (a) of this section 13 as an open case for purposes that include compiling statistics on its open cases. 14 (c) In this section, 15 (1) "crime" has the meaning given in AS 11.81.900; 16 (2) "identity theft" means the theft of the identity of an individual; 17 (3) "victim" means an individual who is the victim of identity theft. 18 Article 4. General Provisions. 19 Sec. 45.48.400. Relationship to federal law. If a provision of this chapter is 20 preempted by federal law in a particular situation, the provision does not apply to the 21 extent of the preemption or conflict. 22 Sec. 45.48.490. Definitions. In this chapter, "personal information" means an 23 individual's first name or first initial and last name in combination with any one or 24 more of the following data elements, when either the name or the data elements are 25 not encrypted: 26 (1) social security number; 27 (2) driver's license number or state identification card number; 28 (3) account number or credit or debit card number, in combination 29 with any required security code, access code, or password that would permit access to 30 an individual's financial account. 31 * Sec. 2. AS 45.48.170(a) is repealed and reenacted to read:

01 (a) A credit reporting agency may not charge a consumer more than 02 (1) $10 for each time that the consumer places a security freeze under 03 AS 45.48.100, removes a freeze under AS 45.48.140, or allows access for a specific 04 period of time during a security freeze under AS 45.48.130; or 05 (2) $12 for each time that the consumer allows access for a specific 06 person during a security freeze under AS 45.48.130. 07 * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 08 read: 09 CONTINGENT EFFECT OF SECTION 2. Section 2 of this Act takes effect only if a 10 court of competent jurisdiction whose decisions are binding in this state enters a final 11 judgment that the charge allowed under AS 45.48.170(a)(1), as enacted by sec. 1 of this Act, 12 are unconstitutional.