SB 222: "An Act relating to breaches of security involving personal information, consumer report security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, filing police reports regarding identity theft, and furnishing consumer credit header information; and amending Rule 60, Alaska Rules of Civil Procedure."
00 SENATE BILL NO. 222 01 "An Act relating to breaches of security involving personal information, consumer 02 report security freezes, consumer credit monitoring, credit accuracy, protection of social 03 security numbers, disposal of records, factual declarations of innocence after identity 04 theft, filing police reports regarding identity theft, and furnishing consumer credit 05 header information; and amending Rule 60, Alaska Rules of Civil Procedure." 06 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 07 * Section 1. AS 45 is amended by adding a new chapter to read: 08 Chapter 48. Personal Information Protection Act. 09 Article 1. Breach of Security Involving Personal Information. 10 Sec. 45.48.010. Disclosure of breach of security. (a) If a person owns or uses 11 personal information that includes personal information on a state resident, and a 12 breach of the security of the information system containing the personal information 13 occurs, the person shall, after discovering or being notified of the breach, disclose the
01 breach to the state resident, whether or not the personal information has or has not 02 been accessed by an unauthorized third party for legal or illegal purposes. 03 (b) An information collector shall make the disclosure required by (a) of this 04 section in the most expedient time possible and without unreasonable delay, except as 05 provided in AS 45.48.020 and as necessary to determine the scope of the breach and 06 restore the reasonable integrity of the information system. 07 Sec. 45.48.020. Notification of law enforcement. An information collector 08 may delay making the disclosures required by AS 45.48.010 if the Department of Law 09 determines that the disclosures may compromise an investigation by the Department 10 of Law. If the disclosures are delayed under this section, the information collector 11 shall make the disclosures after the Department of Law determines that making the 12 disclosures would not compromise an investigation. 13 Sec. 45.48.030. Methods of notice. An information collector shall make the 14 disclosure required by AS 45.48.010 15 (1) by a written document; 16 (2) by electronic means if making the disclosure by the electronic 17 means is consistent with the provisions regarding electronic records and signatures 18 required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. 19 (Electronic Signatures in Global and National Commerce Act); or 20 (3) if the information collector demonstrates that the cost of providing 21 notice would exceed $250,000, that the affected class of state residents to be notified 22 exceeds 500,000, or that the information collector does not have sufficient contact 23 information to provide notice, by 24 (A) electronic mail if the information collector has an 25 electronic mail address for the state resident; 26 (B) conspicuously posting the disclosure on the Internet 27 website of the information collector if the information collector maintains an 28 Internet site; and 29 (C) providing a notice to major statewide media. 30 Sec. 45.48.040. Exception for employees and agents. In AS 45.48.010 - 31 45.48.090, the good faith acquisition of personal information by an employee or agent
01 of an information collector for a legitimate purpose of the information collector is not 02 a breach of the security of the information system if the employee or agent does not 03 use the personal information for a purpose unrelated to a legitimate purpose of the 04 information collector and does not make further unauthorized disclosure of the 05 personal information. 06 Sec. 45.48.050. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 07 unenforceable. 08 Sec. 45.48.060. Violations. (a) If an information collector violates 09 AS 45.48.010 - 45.48.090 with regard to the personal information of an individual, the 10 individual or a state agency may bring a civil action in court to 11 (1) recover the damages suffered by the state resident; 12 (2) enjoin from further violations of AS 45.48.010 - 45.48.090 an 13 information collector who engages in business and the security breach occurred to the 14 personal information used or owned by the information collector in the business. 15 (b) The rights and remedies available under this section are in addition to any 16 other rights and remedies available under another law. 17 (c) In this section, "state agency" means 18 (1) a department, division, or office in the executive branch of state 19 government that has authority under the statutes of this state to regulate the operation 20 of the information collector; or 21 (2) the Department of Law if another state agency does not have 22 authority under the statutes of this state to regulate the operation of the information 23 collector. 24 Sec. 45.48.070. Minimum contacts. An information collector is subject to 25 AS 45.48.010 - 45.48.090 if the information collector engages in activities that 26 provide at least the minimum contacts required by substantive due process for the state 27 to exercise jurisdiction over the information collector. 28 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 29 (1) "breach of the security" means unauthorized acquisition of personal 30 information that compromises the security, confidentiality, or integrity of the personal 31 information maintained by the information collector; in this paragraph, "acquisition"
01 includes acquisition by 02 (A) photocopying, facsimile, or other paper-based method; 03 (B) a device, including a computer, that can read, write, or 04 store information that is represented in numerical form; or 05 (C) a method not identified by (A) or (B) of this paragraph; 06 (2) "information collector" means a person who owns or uses personal 07 information in any form if the personal information includes personal information on a 08 state resident; 09 (3) "personal information" means information in any form on an 10 individual, other than, if applicable, the information collector, that is not lawfully 11 available to the general public from federal, state, or local government records and that 12 consists of 13 (A) a combination of an individual's first name or first initial, 14 the individual's last name, and one or more of the following information 15 elements, when the name or the information elements are not encrypted or 16 redacted: 17 (i) the individual's social security number; 18 (ii) the number of the individual's driver's license or 19 state identification card; 20 (iii) the individual's account number, credit card 21 account number or debit card account number if the number does not 22 require additional identifying information, access codes, or passwords 23 for use; 24 (iv) account passwords or personal identification 25 numbers or other access codes; 26 (B) an item listed in (A)(i) - (iv) of this paragraph if the item 27 would be sufficient to engage in or attempt to engage in the theft of an 28 individual's identity. 29 Article 2. Consumer Report Security Freeze. 30 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 31 consumer reporting agency from releasing all or a part of the consumer's consumer
01 report or information derived from the consumer report without the express 02 authorization of the consumer by placing a security freeze on the consumer's consumer 03 report. 04 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a 05 consumer shall make the request to the consumer reporting agency 06 (1) by certified mail; 07 (2) by telephone if the consumer provides the consumer reporting 08 agency with certain personal identification; or 09 (3) through a secure electronic mail connection if the consumer 10 reporting agency makes a secure electronic mail connection available to the consumer. 11 (b) A consumer reporting agency shall place a security freeze within five 12 business days after receiving a request under (a)(1) of this section and immediately 13 after receiving a request under (a)(2) or (3) of this section. 14 Sec. 45.48.120. Confirmation of security freeze. (a) Within five business 15 days after a consumer makes the request under AS 45.48.110, a consumer reporting 16 agency shall send a written confirmation of the placement of the security freeze to the 17 consumer. 18 (b) At the same time that the consumer reporting agency sends a confirmation 19 under (a) of this section, the consumer reporting agency shall provide the consumer 20 with a unique personal identification number or password to be used by the consumer 21 when the consumer authorizes the release of the consumer's consumer report or 22 information derived from the report under AS 45.48.130. 23 Sec. 45.48.130. Access and actions during security freeze. (a) While a 24 security freeze is in place, a consumer reporting agency shall allow a third party access 25 to a consumer's consumer report or information derived from the consumer report if 26 the consumer requests that the consumer reporting agency allow the access. 27 (b) To make a request under (a) of this section, the consumer shall contact the 28 consumer reporting agency by telephone, certified mail, or secure electronic mail 29 connection, authorize the consumer reporting agency to allow the access, and provide 30 the consumer reporting agency with 31 (1) proper identification to verify the consumer's identity;
01 (2) the unique personal identification number or password provided 02 under AS 45.48.120(b); and 03 (3) the proper information necessary to identify the third party to 04 whom the consumer reporting agency may allow the access or the time period during 05 which the consumer reporting agency may allow the access to third parties who 06 request the access. 07 (c) A consumer reporting agency that receives a request from a consumer 08 under (b) of this section shall comply with the request immediately after receiving the 09 request by telephone or electronic mail or within three business days after receiving 10 the request by certified mail. 11 (d) If a security freeze is in place, a consumer reporting agency may not 12 release the consumer report or information derived from the consumer report to a third 13 party without the prior express authorization of the consumer. 14 (e) If a security freeze is in place on a consumer's consumer report and 15 information derived from the consumer report and if a third party applies to a 16 consumer reporting agency to provide the third party with access to the consumer's 17 consumer report or information derived from the consumer report, the consumer 18 reporting agency may treat the third party's application as incomplete unless the 19 consumer authorizes the access under (a) of this section. 20 (f) A consumer reporting agency shall notify a consumer that a third party has 21 attempted to access the consumer's consumer report or information derived from the 22 report if a third party requests a consumer reporting agency to provide the third party 23 with access to the consumer report or information, a security freeze has been placed, 24 and the purpose of the access is not for the sole purpose of account review. 25 (g) This section is not intended to prevent a consumer reporting agency from 26 advising a third party that requests access to a consumer's consumer report or 27 information derived from the consumer report that a security freeze is in effect. 28 (h) The procedures used by a consumer reporting agency for implementing the 29 provisions of this section may include the use of telephone, facsimile, or electronic 30 means if making the disclosure by the electronic means is consistent with the 31 provisions regarding electronic records and signatures required for notices legally
01 required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global 02 and National Commerce Act), Internet, electronic mail, or another electronic method. 03 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 04 AS 45.48.130, a consumer reporting agency may not remove a security freeze unless 05 (1) the consumer requests that the consumer reporting agency remove 06 the security freeze under (b) of this section; or 07 (2) the consumer made a material misrepresentation of fact to the 08 consumer reporting agency when the consumer requested the security freeze under 09 AS 45.48.110; if a consumer reporting agency intends to remove a security freeze on a 10 consumer's consumer report under this paragraph, the consumer reporting agency shall 11 notify the consumer in writing five business days before removing the security freeze. 12 (b) A consumer reporting agency shall remove a security freeze immediately 13 after receiving a request for removal from the consumer who requested the security 14 freeze if the consumer provides proper identification to identify the consumer and the 15 unique personal identification number or password provided by the consumer 16 reporting agency under AS 45.48.120. 17 Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer 18 reporting agency may not suggest, state, or imply that a consumer's security freeze 19 reflects a negative credit score, history, report, or rating. 20 Sec. 45.48.160. Charges. (a) Except as provided by (b) of this section, a 21 consumer reporting agency may not charge a consumer to place or remove a security 22 freeze, to provide access under AS 45.48.130, or to take any other action, including 23 the issuance of a personal identification number or password under AS 45.48.120, that 24 is related to the placement of, removal of, or allowing access to a consumer report or 25 information derived from a consumer report on which a security freeze has been 26 placed. 27 (b) If a consumer fails to retain a personal identification number or password 28 issued under AS 45.48.120, a consumer reporting agency may charge the consumer up 29 to $5 for each time after the first time that the consumer reporting agency issues the 30 consumer another personal identification number or password because the consumer 31 failed to retain the personal identification number or password.
01 Sec. 45.48.170. Notice of rights. When a consumer reporting agency is 02 required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit 03 Reporting Act), a consumer reporting agency shall also give the consumer the 04 following notice: 05 Consumers Have the Right to Obtain a Security Freeze 06 You may obtain a security freeze on your consumer report at no 07 charge to protect your privacy and ensure that credit is not granted in 08 your name without your knowledge. You have a right to place a 09 "security freeze" on your consumer report under state law 10 (AS 45.48.100 - 45.48.290). 11 The security freeze will prohibit a consumer reporting agency 12 from releasing any information in your consumer report without your 13 express authorization or approval. 14 The security freeze is designed to prevent credit, loans, and 15 other services from being approved in your name without your consent. 16 When you place a security freeze on your consumer report, within five 17 business days you will be provided a personal identification number or 18 password to use if you choose to remove the freeze on your consumer 19 report or to temporarily authorize the release of your consumer report 20 to a specific third party or specific third parties or for a specific period 21 of time after the freeze is in place. To provide that authorization, you 22 must contact the consumer reporting agency and provide all of the 23 following: 24 (1) proper identification to verify your identity; 25 (2) the personal identification number or password 26 provided by the consumer reporting agency; 27 (3) proper information necessary to identify the third 28 party or third parties who are authorized to receive the consumer report 29 or the specific period of time for which the report is to be available to 30 third parties. 31 A consumer reporting agency that receives your request to
01 temporarily lift a freeze on a consumer report is required to comply 02 with the request immediately after receiving your request if you make 03 the request by telephone or electronic mail, or within three business 04 days after receiving your request if you make the request by certified 05 mail. 06 A security freeze does not apply to circumstances where you 07 have an existing account relationship and a copy of your report is 08 requested by your existing creditor or its agents or affiliates for certain 09 types of account review, collection, fraud control, or similar activities. 10 If you are actively seeking credit, you should understand that 11 the procedures involved in lifting a security freeze may slow your own 12 applications for credit. You should plan ahead and lift a freeze, either 13 completely if you are shopping around, or specifically for a certain 14 creditor, a few days before actually applying for new credit. 15 You have a right to bring a civil action against someone who 16 violates your rights under these laws on security freezes. The action can 17 be brought against a consumer reporting agency or a user of your 18 consumer report. 19 Sec. 45.48.180. Notification after violation. If a consumer reporting agency 20 violates a security freeze by releasing a consumer's consumer report or information 21 derived from the consumer report, the consumer reporting agency shall notify the 22 consumer within five business days after the release, and the information in the notice 23 must include an identification of the information released and of the third party who 24 received the information. 25 Sec. 45.48.190. Violations and penalties. (a) A consumer who suffers 26 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an 27 action in court against the person and recover, in the case of a violation where the 28 person acted 29 (1) negligently, actual damages, including loss of wages, and, when 30 applicable, damages for pain and suffering; 31 (2) knowingly,
01 (A) damages as described in (1) of this subsection; 02 (B) punitive damages that are not less than $100 nor more than 03 $5,000 for each violation as the court determines to be appropriate; and 04 (C) other relief that the court determines to be appropriate. 05 (b) A consumer may bring an action in court against a person for a violation or 06 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 07 not the consumer seeks another remedy under this section. 08 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 09 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 10 allows. When determining the amount of an award in a class action under this 11 subsection, the court shall consider, among the relevant factors, the amount of any 12 actual damages awarded, the frequency of the violations, the resources of the violator, 13 and the number of consumers adversely affected. 14 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 15 Sec. 45.48.200. Minimum contacts. A consumer reporting agency is subject 16 to AS 45.48.100 - 45.48.290 if the consumer reporting agency engages in activities 17 that provide at least the minimum contacts required by substantive due process for the 18 state to exercise jurisdiction over the consumer reporting agency. 19 Sec. 45.48.210. Reports not covered. The provisions of AS 45.48.100 - 20 45.48.290 do not apply to a consumer report if the consumer report is 21 (1) a report that only contains information relating to transactions or 22 experiences between the consumer and the person making the report; 23 (2) a communication of the information that is described in (1) of this 24 section or that is taken from a consumer's credit application if 25 (A) the communication is limited to internal communication 26 within the organization of the person making the report; and 27 (B) the consumer is informed by a clear and conspicuous 28 written disclosure that the information contained in the credit application may 29 be communicated as allowed under (A) of this paragraph, except that, if a 30 credit application is taken by telephone, the consumer shall initially be 31 informed orally when the application is taken, and a clear and conspicuous
01 written disclosure shall be made to the consumer in the first written 02 communication to the consumer after the application is taken; 03 (3) a report containing information solely about a consumer's 04 character, general reputation, personal characteristics, or mode of living and the 05 information is obtained through personal interviews with neighbors, friends, or 06 associates of the consumer reported on, or others with whom the consumer is 07 acquainted or who may have knowledge concerning those items of information; or 08 (4) a consumer report furnished for use in connection with a 09 transaction that consists of an extension of credit to be used solely for a commercial 10 purpose. 11 Sec. 45.48.220. Exemptions. The provisions of AS 45.48.100 - 45.48.290 do 12 not apply to the use of a consumer report by 13 (1) a person, the person's subsidiary, affiliate, or agent, or the person's 14 assignee with whom a consumer has or, before the assignment, had an account, 15 contract, or debtor-creditor relationship if the purpose of the use is to review the 16 consumer's account or to collect a financial obligation owing on the account, contract, 17 or debt; 18 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 19 assignee of a person to whom access has been granted under AS 45.48.130 if the 20 purpose of the use is to facilitate the extension of credit or another permissible use; 21 (3) a person acting under a court order, warrant, or subpoena; 22 (4) an agency of a state or municipality that administers a program for 23 establishing and enforcing child support obligations; 24 (5) the Department of Health and Social Services, its agents, or its 25 assigns when investigating fraud; 26 (6) the Department of Revenue, its agents, or its assigns when 27 investigating or collecting delinquent taxes or unpaid court orders or when 28 implementing its other statutory responsibilities; 29 (7) a person if the purpose of the use is prescreening allowed under 15 30 U.S.C. 1681 - 1681w (Fair Credit Reporting Act); 31 (8) a person administering a credit file monitoring subscription service
01 to which the consumer has subscribed; 02 (9) a person providing a consumer with a copy of the consumer's 03 consumer report at the consumer's request. 04 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 05 (1) "account review" means activities related to account maintenance, 06 account monitoring, credit line increases, and account upgrades and enhancements; 07 (2) "consumer" means an individual who is the subject of a consumer 08 report; 09 (3) "security freeze" means a prohibition against a consumer reporting 10 agency from releasing all or a part of a consumer's consumer report or information 11 derived from the consumer report without the express authorization of the consumer; 12 (4) "third party" means a person who is not 13 (A) the consumer who is the subject of the consumer's 14 consumer report; or 15 (B) the consumer reporting agency that is holding the 16 consumer's consumer report. 17 Article 3. Consumer Credit Monitoring; Credit Accuracy. 18 Sec. 45.48.300. Required disclosure. A consumer reporting agency shall, if a 19 consumer makes the request and the request is not covered by the free disclosure 20 provision of 15 U.S.C. 1681j(a) - (d) (Fair Credit Reporting Act), clearly and 21 accurately disclose to the consumer the information described under AS 45.45.310. 22 Sec. 45.48.310. Information to be disclosed. (a) The following information 23 shall be disclosed under AS 45.45.300: 24 (1) all information in the consumer's file when the consumer makes the 25 request, except that this paragraph may not be construed to require a consumer 26 reporting agency to disclose information concerning credit scores, risk scores, or other 27 predictors that are governed by 15 U.S.C. 1681g; 28 (2) the sources of the information described in (1) of this subsection; 29 (3) an identification of each person, including each end user identified 30 under 15 U.S.C. 1681e, who procured a report on the consumer 31 (A) for employment purposes during the two-year period that
01 precedes the date when the consumer's request is made; or 02 (B) for a purpose other than employment purposes during the 03 one-year period that precedes the date when the consumer's request is made; 04 (4) the dates, original payees, and amounts of any checks that 05 (A) provide the basis for an adverse characterization of the 06 consumer; and 07 (B) are included in the file when the disclosure is made or can 08 be inferred from the file; 09 (5) a record of all inquiries that were received by the consumer 10 reporting agency during the one-year period that precedes the request and that identify 11 the consumer in connection with a credit or insurance transaction that was not initiated 12 by the consumer; and 13 (6) a statement that the consumer may request and obtain a credit score 14 if the consumer requests the credit file and not the credit score. 15 (b) The information to be disclosed under (a)(3) of this section must include 16 (1) the name of the person or, if applicable, the full trade name under 17 which the person conducts business; and 18 (2) the address and telephone number of the person if requested by the 19 consumer. 20 (c) A consumer reporting agency is not required to disclose the information 21 described in (a)(3) of this section if 22 (1) the end user is an agency of the United States government and 23 procures the consumer's consumer report from the consumer reporting agency to 24 determine the eligibility of the consumer to receive access or continued access to 25 classified information; in this paragraph, "classified information" has the meaning 26 given in 15 U.S.C. 1681b; and 27 (2) the individual who is in charge of the end user makes a written 28 finding as prescribed under 15 U.S.C. 1681b(b)(4)(A). 29 Sec. 45.48.320. Cost of disclosure. (a) A consumer reporting agency may 30 impose a reasonable charge on a consumer for making a disclosure under 31 AS 45.48.300. The charge may not exceed
01 (1) $2 for each of the first 12 requests from the consumer in a calendar 02 year; 03 (2) $8 for each request beyond the 12 requests covered by (1) of this 04 subsection in a calendar year. 05 (b) The consumer reporting agency shall disclose the charge to the consumer 06 before making the disclosure under AS 45.48.300. 07 Sec. 45.48.330. Form of disclosure. (a) A consumer may make the request 08 under AS 45.48.300 in writing, in person, by telephone if the consumer has made a 09 written request for the disclosure, by electronic means if the consumer reporting 10 agency offers electronic access for any other purpose, or by any other reasonable 11 means that is available from the consumer reporting agency. 12 (b) To make a request in person under (a) of this section, the consumer shall, 13 after reasonable notice to the consumer reporting agency, appear during normal 14 business hours at the consumer reporting agency's place of business where the 15 consumer reporting agency normally provides disclosures under AS 45.48.300. 16 Sec. 45.48.340. Timing of disclosure. A consumer reporting agency shall 17 provide a consumer with the disclosure under AS 45.48.300 within 18 (1) 24 hours after the date on which the request is made if the 19 disclosure is made by electronic means under AS 45.48.330(a); or 20 (2) five days after the date on which the request is made if the 21 disclosure is made in writing, in person, by telephone, or by any other reasonable 22 means that is available from the consumer reporting agency, except by electronic 23 means. 24 Sec. 45.48.350. Credit accuracy. (a) A person who does business in the state 25 by distributing information about an individual's credit history, score, or ranking shall, 26 when notified that the information that the person is distributing is inaccurate, 27 immediately stop distributing the information until the accuracy of the information can 28 be verified or the inaccuracies in the information corrected. 29 (b) If a person who does business in the state by distributing information about 30 an individual's credit history, score, or ranking releases information about an 31 individual that is inaccurate, the person shall, as quickly as possible after discovering
01 that inaccurate information is being distributed, 02 (1) repair, to the extent possible, the damage to the individual caused 03 by the release of the inaccurate information; and 04 (2) pay fair and reasonable compensation to the individual for the 05 damage caused to the individual by the release of the inaccurate information. 06 (c) If a person fails to comply with (b) of this section, an individual may bring 07 an action in court to compel the person to comply with (b) of this section. 08 (d) In this section, "does business in the state" means engages in activities that 09 provide at least the minimum contacts required by substantive due process for the state 10 to exercise jurisdiction over the person who is engaging in the activities. 11 Article 4. Protection of Social Security Number. 12 Sec. 45.48.400. Use of social security number. (a) A person may not, without 13 the consent of the individual, 14 (1) intentionally communicate or otherwise make available to the 15 general public an individual's social security number; 16 (2) print an individual's social security number on a card required for 17 the individual to access products or services provided by the person; 18 (3) require an individual to transmit the individual's social security 19 number over the Internet unless the Internet connection is secure or the social security 20 number is encrypted; 21 (4) require an individual to use the individual's social security number 22 to access an Internet site unless a password, a unique personal identification number, 23 or another authentication device is also required in order to access the site; 24 (5) print an individual's social security number on materials that are 25 mailed to the individual, unless state or federal law requires the social security number 26 to be on the material; 27 (6) refuse to do business with an individual because the individual 28 does not consent to the receipt by the person of the social security number of the 29 individual, unless the person is expressly required under federal law, in connection 30 with doing business with an individual, to submit the individual's social security 31 number to the federal government.
01 (b) A person may not sell, lease, loan, trade, rent, or otherwise disclose an 02 individual's social security number to a third party for any purpose without the 03 individual's written consent. 04 Sec. 45.48.410. Penalties. (a) A person who knowingly violates AS 45.48.400 05 is liable to the state for a civil penalty not to exceed $3,000. 06 (b) An individual may bring a civil action in court against a person who 07 knowingly violates AS 45.48.400 and may recover actual damages or $5,000, 08 whichever amount is greater, and court costs and attorney fees allowed by the rules of 09 court. 10 (c) A person who knowingly violates AS 45.48.400 is guilty of a class A 11 misdemeanor. 12 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 13 Article 5. Disposal of Records. 14 Sec. 45.48.500. Disposal of records. (a) A business shall take, in connection 15 with and after the disposal of the records, all reasonable measures necessary to protect 16 against unauthorized access to or use of the records of the business that contain 17 personal information. 18 (b) Notwithstanding (a) of this section, if a business has otherwise complied 19 with the provisions of AS 45.48.500 - 45.48.590 in the selection of a third party 20 engaged in the business of record destruction, the business is not liable for the disposal 21 of records under AS 45.48.500 - 45.48.590 after the business has relinquished control 22 of the records to the third party for the destruction of the records. 23 Sec. 45.48.510. Measures to protect access. The measures required to be 24 taken under AS 45.48.500 include 25 (1) implementing and monitoring compliance with policies and 26 procedures that require the burning, pulverizing, or shredding of paper documents 27 containing personal information so that the personal information cannot practicably be 28 read or reconstructed; 29 (2) implementing and monitoring compliance with policies and 30 procedures that require the destruction or erasure of electronic media and other 31 nonpaper media containing personal information so that the personal information
01 cannot practicably be read or reconstructed; and 02 (3) after due diligence, entering into a written contract with a third 03 party engaged in the business of record destruction to dispose of records containing 04 personal information in a manner consistent with AS 45.48.500 - 45.48.590. 05 Sec. 45.48.520. Due diligence. In AS 45.48.510(3), due diligence ordinarily 06 includes performing one or more of the following: 07 (1) reviewing an independent audit of the third party's operations and 08 its compliance with AS 45.48.500 - 45.48.590; 09 (2) obtaining information about the third party from several references 10 or other reliable sources and requiring that the third party be certified by a recognized 11 trade association or similar organization with a reputation for high standards of quality 12 review; 13 (3) reviewing and evaluating the third party's information security 14 policies and procedures, or taking other appropriate measures to determine the 15 competency and integrity of the third party. 16 Sec. 45.48.530. Business policy and procedures. A business shall 17 comprehensively describe and classify as the business's official policy in the writings 18 of the business the policies and procedures that relate to the adequate destruction and 19 proper disposal of personal records. In this section, "writings" includes corporate 20 handbooks, employee handbooks, and similar corporate documents. 21 Sec. 45.48.540. Civil penalty. An individual or a business that knowingly 22 violates AS 45.48.500 - 45.48.590 is liable to the state for a civil penalty not to exceed 23 $3,000. In this section, "knowingly" has the meaning given in AS 11.81.900. 24 Sec. 45.48.550. Court action. An individual who is damaged by a violation of 25 AS 45.48.500 - 45.48.590 may bring a civil action in court to enjoin further violations 26 and to recover damages for the violation and court costs and attorney fees allowed by 27 the rules of court. 28 Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590, 29 (1) "business" means a person who conducts business in the state or a 30 person who conducts business and maintains or otherwise possesses personal 31 information on state residents; in this paragraph,
01 (A) "conducts business" includes engaging in activities as a 02 financial institution organized, chartered, or holding a license or authorization 03 certificate under the laws of this state, another state, the United States, or 04 another country; 05 (B) "possesses" includes possession for the purpose of 06 destruction; 07 (2) "dispose" means 08 (A) the discarding or abandonment of records containing 09 personal information; 10 (B) the sale, donation, discarding, or transfer of 11 (i) any medium, including computer equipment or 12 computer media, that contains records of personal information; 13 (ii) nonpaper media, other than that identified under (i) 14 of this subparagraph, on which records of personal information are 15 stored; and 16 (iii) equipment for nonpaper storage of information; 17 (3) "personal information" means information that identifies, relates to, 18 describes, or is capable of being associated with a particular individual, and includes a 19 name, signature, social security number, fingerprint, photograph, computerized image, 20 physical characteristic, physical description, address, telephone number, passport 21 number, driver's license, state identification number, date of birth, medical 22 information, bank account number, credit card number, debit card number, and 23 financial information; 24 (4) "records" means material on which information that is written, 25 drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of 26 physical form or characteristics, but does not include publicly available directories 27 containing names, addresses, telephone numbers, or other information an individual 28 has voluntarily consented to have publicly disseminated or listed. 29 Article 6. Factual Declaration of Innocence after Identity Theft; Right to File Police 30 Report Regarding Identity Theft. 31 Sec. 45.48.600. Factual declaration of innocence after identity theft. (a) A
01 victim of identity theft may petition the superior court for a determination that the 02 victim is factually innocent of a crime if 03 (1) the perpetrator of the identity theft was arrested for, cited for, or 04 convicted of the crime using the victim's identity; 05 (2) a criminal complaint has been filed against the perpetrator in the 06 victim's name; or 07 (3) the victim's identity has been mistakenly associated with a record 08 of a conviction for a crime. 09 (b) In addition to a petition by a victim under (a) of this section, the 10 department may petition the superior court for a determination under (a) of this 11 section, or the superior court may, on its own motion, make a determination under (a) 12 of this section. 13 Sec. 45.48.610. Basis for determination. A determination of factual 14 innocence under AS 45.48.600 may be heard and made on declarations, affidavits, 15 police reports, or other material, relevant, and reliable information submitted by the 16 parties or ordered to be made a part of the record by the court. 17 Sec. 45.48.620. Criteria for determination; court order. (a) A court shall 18 determine that a victim is factually innocent of a crime if the court finds that the 19 petition or motion brought under AS 45.48.600 is meritorious and that 20 (1) there is not a reasonable cause to believe that the victim committed 21 the crime for which the perpetrator of the identity theft was arrested, cited, convicted, 22 or subject to a criminal complaint in the victim's name; or 23 (2) the victim's identity has been mistakenly associated with a record 24 of a conviction of a crime. 25 (b) If a court finds under this section that the victim is factually innocent of a 26 crime, the court shall issue an order indicating this determination of factual innocence 27 and shall provide the victim with a copy of the order. 28 Sec. 45.48.630. Orders regarding records. After a court issues an order under 29 AS 45.48.620, the court may order the name and associated personal information of 30 the victim that is contained in the files, indexes, and other records of the court that are 31 accessible by the public deleted, sealed, or labeled to show that the name and personal
01 information is impersonated and does not reflect the defendant's identity. 02 Sec. 45.48.640. Vacation of determination. A court that has issued an order 03 under AS 45.48.620 may, at any time, vacate the order if the petition or motion, or any 04 information submitted in support of the petition or motion, is found to contain a 05 material misrepresentation or fraudulent material. 06 Sec. 45.48.650. Court form. The supreme court of the state may develop a 07 form to be used for the order under AS 45.48.620. 08 Sec. 45.48.660. Data base. The department may establish and maintain a data 09 base of individuals who have been victims of identity theft and who have received an 10 order under AS 45.48.620. The department shall provide a victim or the victim's 11 authorized representative access to a data base established under this section in order 12 to establish that the individual has been a victim of identity theft. Access to the a data 13 base established under this section is limited to criminal justice agencies, victims of 14 identity theft, and individuals and agencies authorized by the victims. 15 Sec. 45.48.670. Toll-free telephone number. The department may establish 16 and maintain a toll-free telephone number to provide access to information in a data 17 base established under AS 45.48.660. 18 Sec. 45.48.680. Right to file police report regarding identity theft. (a) Even 19 if the local law enforcement agency does not have jurisdiction over the theft of an 20 individual's identity, if an individual who has learned or reasonably suspects the 21 individual has been the victim of identity theft contacts, for the purpose of filing a 22 complaint, a local law enforcement agency that has jurisdiction over the individual's 23 actual place of residence, the local law enforcement agency shall make a report of the 24 matter and provide the individual with a copy of the report. The local law enforcement 25 agency may refer the matter to a law enforcement agency in a different jurisdiction. 26 (b) This section is not intended to interfere with the discretion of a local law 27 enforcement agency to allocate its resources to the investigation of crime. A local law 28 enforcement agency is not required to count a complaint filed under (a) of this section 29 as an open case for purposes that include compiling statistics on its open cases. 30 Sec. 45.48.690. Definitions. In AS 45.48.600 - 45.48.690, 31 (1) "crime" has the meaning given in AS 11.81.900;
01 (2) "department" means the Department of Law; 02 (3) "identity theft" means the theft of the identity of an individual; 03 (4) "perpetrator" means the person who perpetrated the theft of an 04 individual's identity; 05 (5) "victim" means an individual who is the victim of identity theft. 06 Article 7. Consumer Credit Header Information. 07 Sec. 45.48.800. Consumer credit header information. (a) A consumer 08 reporting agency may not furnish by a written, an oral, or another method of 09 communication a consumer's credit header information to a person unless the person 10 has a permissible purpose under 15 U.S.C. 1681b (Fair Credit Protection Act) to 11 obtain the consumer's consumer report. 12 (b) In this section, "credit header information" means the social security 13 number of a consumer, or a derivative of the social security number, the maiden name 14 of the mother of the consumer, the birth date of the consumer, and other personally 15 identifiable information of a consumer that is derived from nonpublic personal 16 information, except the name, address, and telephone number of the consumer listed in 17 a residential telephone directory available in the locality of the consumer. 18 Article 8. General Provisions. 19 Sec. 45.48.900. Relationship to federal law. If a provision of this chapter is 20 preempted by or conflicts with federal law in a particular situation, the provision does 21 not apply to the extent of the preemption or conflict. 22 Sec. 45.48.990. Definitions. In this chapter, unless the context indicates 23 otherwise, 24 (1) "consumer" means an individual; 25 (2) "consumer report" means a written, oral, or other communication 26 of information by a consumer reporting agency bearing on a consumer's credit 27 worthiness, credit standing, credit capacity, character, general reputation, personal 28 characteristics, or mode of living if the communication is used or expected to be used 29 or collected in whole or in part to serve as a factor in establishing the consumer's 30 eligibility for 31 (A) credit or insurance to be used primarily for personal,
01 family, or household purposes; 02 (B) employment purposes; or 03 (C) any other permissible purpose authorized under section 15 04 U.S.C. 1681b; 05 (3) "consumer reporting agency" means a person who, for monetary 06 fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in 07 the practice of assembling or evaluating consumer credit information or other 08 information on consumers for the purpose of furnishing consumer reports to third 09 parties; 10 (4) "person" has the meaning given in AS 01.10.060 and includes a 11 state or local governmental agency, except for an agency of the judicial branch; 12 (5) "state resident" means an individual who satisfies the residency 13 requirements under AS 01.10.055. 14 Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal 15 Information Protection Act. 16 * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to 17 read: 18 INDIRECT COURT RULE AMENDMENT. AS 45.48.640, enacted by sec. 1 of this 19 Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing a 20 court to vacate an order on its own motion and at any time and by establishing a specific 21 criterion for vacating the order under AS 45.48.640. 22 * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to 23 read: 24 TRANSITION: IMPLEMENTATION. A person to whom AS 45.48.400 and 25 45.48.410, enacted by sec. 1 of this Act, apply shall make reasonable efforts to cooperate, 26 through systems testing and other means, to ensure that the requirements of AS 45.48.400 and 27 45.48.410 are implemented on or before the effective date of AS 45.48.400 and 45.48.410.