txt

CSSB 222(L&C): "An Act relating to breaches of security involving personal information, consumer report security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, filing police reports regarding identity theft, furnishing consumer credit header information, and truncation of credit and debit card information; and amending Rule 60, Alaska Rules of Civil Procedure."

00                      CS FOR SENATE BILL NO. 222(L&C)                                                                    
01 "An Act relating to breaches of security involving personal information, consumer                                       
02 report security freezes, consumer credit monitoring, credit accuracy, protection of social                              
03 security numbers, disposal of records, factual declarations of innocence after identity                                 
04 theft, filing police reports regarding identity theft, furnishing consumer credit header                                
05 information, and truncation of credit and debit card information; and amending Rule                                     
06 60, Alaska Rules of Civil Procedure."                                                                                   
07 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA:                                                                
08    * Section 1. AS 45 is amended by adding a new chapter to read:                                                     
09                Chapter 48. Personal Information Protection Act.                                                       
10            Article 1. Breach of Security Involving Personal Information.                                              
11            Sec. 45.48.010. Disclosure of breach of security. (a) If a person owns or uses                             
12       personal information that includes personal information on a state resident, and a                                
13       breach of the security of the information system containing the personal information                              
01       occurs, the person shall, after discovering or being notified of the breach, disclose the                         
02       breach to the state resident, whether or not the personal information has or has not                              
03       been accessed by an unauthorized third party for legal or illegal purposes.                                       
04            (b)  An information collector shall make the disclosure required by (a) of this                              
05       section in the most expedient time possible and without unreasonable delay, except as                             
06       provided in AS 45.48.020 and as necessary to determine the scope of the breach and                                
07       restore the reasonable integrity of the information system.                                                       
08            Sec. 45.48.020. Allowable delay in notification. An information collector                                  
09       may delay disclosing the breach under AS 45.48.010 if an appropriate law                                          
10       enforcement agency determines that disclosing the breach will interfere with a                                    
11       criminal investigation and provides the information collector with a written request for                          
12       the delay. However, the information collector shall disclose the breach to the state                              
13       resident as soon as notification would not any longer interfere with the investigation                          
14            Sec. 45.48.030. Methods of notice. An information collector shall make the                                 
15       disclosure required by AS 45.48.010                                                                               
16                 (1)  by a written document;                                                                             
17                 (2)  by electronic means if making the disclosure by the electronic                                     
18       means is consistent with the provisions regarding electronic records and signatures                               
19       required for notices legally required to be in writing under 15 U.S.C. 7001 et seq.                               
20       (Electronic Signatures in Global and National Commerce Act); or                                                   
21                 (3)  if the information collector demonstrates that the cost of providing                               
22       notice would exceed $250,000, that the affected class of state residents to be notified                           
23       exceeds 500,000, or that the information collector does not have sufficient contact                               
24       information to provide notice, by                                                                                 
25                      (A)  electronic mail if the information collector has an                                           
26            electronic mail address for the state resident;                                                              
27                      (B)  conspicuously posting the disclosure on the Internet                                          
28            website of the information collector if the information collector maintains an                               
29            Internet site; and                                                                                           
30                      (C)  providing a notice to major statewide media.                                                  
31            Sec. 45.48.040. Exception for employees and agents. In AS 45.48.010 -                                      
01       45.48.090, the good faith acquisition of personal information by an employee or agent                             
02       of an information collector for a legitimate purpose of the information collector is not                          
03       a breach of the security of the information system if the employee or agent does not                              
04       use the personal information for a purpose unrelated to a legitimate purpose of the                               
05       information collector and does not make further unauthorized disclosure of the                                    
06       personal information.                                                                                             
07            Sec. 45.48.050. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and                                  
08       unenforceable.                                                                                                    
09            Sec. 45.48.060. Violations. (a) If an information collector violates                                       
10       AS 45.48.010 - 45.48.090 with regard to the personal information of an individual, the                            
11       individual or a state agency may bring a civil action in court to                                                 
12                 (1)  recover the damages suffered by the state resident;                                                
13                 (2)  enjoin from further violations of AS 45.48.010 - 45.48.090 an                                      
14       information collector who engages in business and the security breach occurred to the                             
15       personal information used or owned by the information collector in the business.                                  
16            (b)  The rights and remedies available under this section are in addition to any                             
17       other rights and remedies available under another law.                                                            
18            (c)  In this section, "state agency" means                                                                   
19                 (1)  a department, division, or office in the executive branch of state                                 
20       government that has authority under the statutes of this state to regulate the operation                          
21       of the information collector; or                                                                                  
22                 (2)  the Department of Law if another state agency does not have                                        
23       authority under the statutes of this state to regulate the operation of the information                           
24       collector.                                                                                                        
25            Sec. 45.48.070. Minimum contacts. An information collector is subject to                                   
26       AS 45.48.010 - 45.48.090 if the information collector engages in activities that                                  
27       provide at least the minimum contacts required by substantive due process for the state                           
28       to exercise jurisdiction over the information collector.                                                          
29            Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090,                                                  
30                 (1)  "breach of the security" means unauthorized acquisition of personal                                
31       information that compromises the security, confidentiality, or integrity of the personal                          
01       information maintained by the information collector; in this paragraph, "acquisition"                             
02       includes acquisition by                                                                                           
03                      (A)  photocopying, facsimile, or other paper-based method;                                         
04                      (B)  a device, including a computer, that can read, write, or                                      
05            store information that is represented in numerical form; or                                                  
06                      (C)  a method not identified by (A) or (B) of this paragraph;                                      
07                 (2)  "information collector" means a person who owns or uses personal                                   
08       information in any form if the personal information includes personal information on a                            
09       state resident;                                                                                                   
10                 (3)  "personal information" means information in any form on an                                         
11       individual, other than, if applicable, the information collector, that is not lawfully                            
12       available to the general public from federal, state, or local government records and that                         
13       consists of                                                                                                       
14                      (A)  a combination of an individual's first name or first initial,                                 
15            the individual's last name, and one or more of the following information                                     
16            elements, when the name or the information elements are not encrypted or                                     
17            redacted:                                                                                                    
18                           (i)  the individual's social security number;                                                 
19                           (ii)  the number of the individual's driver's license or                                      
20                 state identification card;                                                                              
21                           (iii)  the individual's account number, credit card                                           
22                 account number or debit card account number if the number does not                                      
23                 require additional identifying information, access codes, or passwords                                  
24                 for use;                                                                                                
25                           (iv)  account passwords or personal identification                                            
26                 numbers or other access codes;                                                                          
27                      (B)  an item listed in (A)(i) - (iv) of this paragraph if the item                                 
28            would be sufficient to engage in or attempt to engage in the theft of an                                     
29            individual's identity.                                                                                       
30                  Article 2. Consumer Report Security Freeze.                                                          
31            Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a                                      
01       consumer reporting agency from releasing all or a part of the consumer's consumer                                 
02       report or information derived from the consumer report without the express                                        
03       authorization of the consumer by placing a security freeze on the consumer's consumer                             
04       report.                                                                                                           
05            Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a                            
06       consumer shall make the request to the consumer reporting agency                                                  
07                 (1)  by certified mail;                                                                                 
08                 (2)  by telephone if the consumer provides the consumer reporting                                       
09       agency with certain personal identification; or                                                                   
10                 (3)  through a secure electronic mail connection if the consumer                                        
11       reporting agency makes a secure electronic mail connection available to the consumer.                             
12            (b)  A consumer reporting agency shall place a security freeze within five                                   
13       business days after receiving a request under (a)(1) of this section and immediately                              
14       after receiving a request under (a)(2) or (3) of this section.                                                    
15            Sec. 45.48.120. Confirmation of security freeze. (a) Within five business                                  
16       days after a consumer makes the request under AS 45.48.110, a consumer reporting                                  
17       agency shall send a written confirmation of the placement of the security freeze to the                           
18       consumer.                                                                                                         
19            (b)  At the same time that the consumer reporting agency sends a confirmation                                
20       under (a) of this section, the consumer reporting agency shall provide the consumer                               
21       with a unique personal identification number or password to be used by the consumer                               
22       when the consumer authorizes the release of the consumer's consumer report or                                     
23       information derived from the report under AS 45.48.130.                                                           
24            Sec. 45.48.130. Access and actions during security freeze. (a) While a                                     
25       security freeze is in place, a consumer reporting agency shall allow a third party access                         
26       to a consumer's consumer report or information derived from the consumer report if                                
27       the consumer requests that the consumer reporting agency allow the access.                                        
28            (b)  To make a request under (a) of this section, the consumer shall contact the                             
29       consumer reporting agency by telephone, certified mail, or secure electronic mail                                 
30       connection, authorize the consumer reporting agency to allow the access, and provide                              
31       the consumer reporting agency with                                                                                
01                 (1)  proper identification to verify the consumer's identity;                                           
02                 (2)  the unique personal identification number or password provided                                     
03       under AS 45.48.120(b); and                                                                                        
04                 (3)  the proper information necessary to identify the third party to                                    
05       whom the consumer reporting agency may allow the access or the time period during                                 
06       which the consumer reporting agency may allow the access to third parties who                                     
07       request the access.                                                                                               
08            (c)  A consumer reporting agency that receives a request from a consumer                                     
09       under (b) of this section shall comply with the request immediately after receiving the                           
10       request by telephone or electronic mail or within three business days after receiving                             
11       the request by certified mail.                                                                                    
12            (d)  If a security freeze is in place, a consumer reporting agency may not                                   
13       release the consumer report or information derived from the consumer report to a third                            
14       party without the prior express authorization of the consumer.                                                    
15            (e)  If a security freeze is in place on a consumer's consumer report and                                    
16       information derived from the consumer report and if a third party applies to a                                    
17       consumer reporting agency to provide the third party with access to the consumer's                                
18       consumer report or information derived from the consumer report, the consumer                                     
19       reporting agency may treat the third party's application as incomplete unless the                                 
20       consumer authorizes the access under (a) of this section.                                                         
21            (f)  A consumer reporting agency shall notify a consumer that a third party has                              
22       attempted to access the consumer's consumer report or information derived from the                                
23       report if a third party requests a consumer reporting agency to provide the third party                           
24       with access to the consumer report or information, a security freeze has been placed,                             
25       and the purpose of the access is not for the sole purpose of account review.                                      
26            (g)  This section is not intended to prevent a consumer reporting agency from                                
27       advising a third party that requests access to a consumer's consumer report or                                    
28       information derived from the consumer report that a security freeze is in effect.                                 
29            (h)  The procedures used by a consumer reporting agency for implementing the                                 
30       provisions of this section may include the use of telephone, facsimile, or electronic                             
31       means if making the disclosure by the electronic means is consistent with the                                     
01       provisions regarding electronic records and signatures required for notices legally                               
02       required to be in writing under 15 U.S.C. 7001 et seq. (Electronic Signatures in Global                           
03       and National Commerce Act), Internet, electronic mail, or another electronic method.                              
04            Sec. 45.48.140. Removal of security freeze. (a) Except as provided by                                      
05       AS 45.48.130, a consumer reporting agency may not remove a security freeze unless                                 
06                 (1)  the consumer requests that the consumer reporting agency remove                                    
07       the security freeze under (b) of this section; or                                                                 
08                 (2)  the consumer made a material misrepresentation of fact to the                                      
09       consumer reporting agency when the consumer requested the security freeze under                                   
10       AS 45.48.110; if a consumer reporting agency intends to remove a security freeze on a                             
11       consumer's consumer report under this paragraph, the consumer reporting agency shall                              
12       notify the consumer in writing five business days before removing the security freeze.                            
13            (b)  A consumer reporting agency shall remove a security freeze immediately                                  
14       after receiving a request for removal from the consumer who requested the security                                
15       freeze if the consumer provides proper identification to identify the consumer and the                            
16       unique personal identification number or password provided by the consumer                                        
17       reporting agency under AS 45.48.120.                                                                              
18            Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer                                   
19       reporting agency may not suggest, state, or imply that a consumer's security freeze                               
20       reflects a negative credit score, history, report, or rating.                                                     
21            Sec. 45.48.160. Charges. (a) Except as provided by (b) of this section, a                                  
22       consumer reporting agency may not charge a consumer to place or remove a security                                 
23       freeze, to provide access under AS 45.48.130, or to take any other action, including                              
24       the issuance of a personal identification number or password under AS 45.48.120, that                             
25       is related to the placement of, removal of, or allowing access to a consumer report or                            
26       information derived from a consumer report on which a security freeze has been                                    
27       placed.                                                                                                           
28            (b)  If a consumer fails to retain a personal identification number or password                              
29       issued under AS 45.48.120, a consumer reporting agency may charge the consumer up                                 
30       to $5 for each time after the first time that the consumer reporting agency issues the                            
31       consumer another personal identification number or password because the consumer                                  
01       failed to retain the personal identification number or password.                                                 
02            Sec. 45.48.170. Notice of rights. When a consumer reporting agency is                                      
03       required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit                                
04       Reporting Act), a consumer reporting agency shall also give the consumer the                                      
05       following notice:                                                                                                 
06              Consumers Have the Right to Obtain a Security Freeze                                                     
07                 You may obtain a security freeze on your consumer report at no                                          
08            charge to protect your privacy and ensure that credit is not granted in                                      
09            your name without your knowledge. You have a right to place a                                                
10            "security freeze" on your consumer report under state law                                                    
11            (AS 45.48.100 - 45.48.290).                                                                                  
12                 The security freeze will prohibit a consumer reporting agency                                           
13            from releasing any information in your consumer report without your                                          
14            express authorization or approval.                                                                           
15                 The security freeze is designed to prevent credit, loans, and                                           
16            other services from being approved in your name without your consent.                                        
17            When you place a security freeze on your consumer report, within five                                        
18            business days you will be provided a personal identification number or                                       
19            password to use if you choose to remove the freeze on your consumer                                          
20            report or to temporarily authorize the release of your consumer report                                       
21            to a specific third party or specific third parties or for a specific period                                 
22            of time after the freeze is in place. To provide that authorization, you                                     
23            must contact the consumer reporting agency and provide all of the                                            
24            following:                                                                                                   
25                      (1)  proper identification to verify your identity;                                                
26                      (2)  the personal identification number or password                                                
27            provided by the consumer reporting agency;                                                                   
28                      (3)  proper information necessary to identify the third                                            
29            party or third parties who are authorized to receive the consumer report                                     
30            or the specific period of time for which the report is to be available to                                    
31            third parties.                                                                                               
01                 A consumer reporting agency that receives your request to                                               
02            temporarily lift a freeze on a consumer report is required to comply                                         
03            with the request immediately after receiving your request if you make                                        
04            the request by telephone or electronic mail, or within three business                                        
05            days after receiving your request if you make the request by certified                                       
06            mail.                                                                                                        
07                 A security freeze does not apply to circumstances where you                                             
08            have an existing account relationship and a copy of your report is                                           
09            requested by your existing creditor or its agents or affiliates for certain                                  
10            types of account review, collection, fraud control, or similar activities.                                   
11                 If you are actively seeking credit, you should understand that                                          
12            the procedures involved in lifting a security freeze may slow your own                                       
13            applications for credit. You should plan ahead and lift a freeze, either                                     
14            completely if you are shopping around, or specifically for a certain                                         
15            creditor, a few days before actually applying for new credit.                                                
16                 You have a right to bring a civil action against someone who                                            
17            violates your rights under these laws on security freezes. The action can                                    
18            be brought against a consumer reporting agency or a user of your                                             
19            consumer report.                                                                                             
20            Sec. 45.48.180. Notification after violation. If a consumer reporting agency                               
21       violates a security freeze by releasing a consumer's consumer report or information                               
22       derived from the consumer report, the consumer reporting agency shall notify the                                  
23       consumer within five business days after the release, and the information in the notice                           
24       must include an identification of the information released and of the third party who                             
25       received the information.                                                                                         
26            Sec. 45.48.190. Violations and penalties. (a) A consumer who suffers                                       
27       damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an                              
28       action in court against the person and recover, in the case of a violation where the                              
29       person acted                                                                                                      
30                 (1)  negligently, actual damages, including loss of wages, and, when                                    
31       applicable, damages for pain and suffering;                                                                       
01                 (2)  knowingly,                                                                                         
02                      (A)  damages as described in (1) of this subsection;                                               
03                      (B)  punitive damages that are not less than $100 nor more than                                    
04            $5,000 for each violation as the court determines to be appropriate; and                                     
05                      (C)  other relief that the court determines to be appropriate.                                     
06            (b)  A consumer may bring an action in court against a person for a violation or                             
07       threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or                                
08       not the consumer seeks another remedy under this section.                                                         
09            (c)  Notwithstanding (a)(2) of this section, a person who knowingly violates                                 
10       AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court                                 
11       allows. When determining the amount of an award in a class action under this                                      
12       subsection, the court shall consider, among the relevant factors, the amount of any                               
13       actual damages awarded, the frequency of the violations, the resources of the violator,                           
14       and the number of consumers adversely affected.                                                                   
15            (d)  In this section, "knowingly" has the meaning given in AS 11.81.900.                                     
16            Sec. 45.48.200. Minimum contacts. A consumer reporting agency is subject                                   
17       to AS 45.48.100 - 45.48.290 if the consumer reporting agency engages in activities                                
18       that provide at least the minimum contacts required by substantive due process for the                            
19       state to exercise jurisdiction over the consumer reporting agency.                                                
20            Sec. 45.48.210. Reports not covered. The provisions of AS 45.48.100 -                                      
21       45.48.290 do not apply to a consumer report if the consumer report is                                             
22                 (1)  a report that only contains information relating to transactions or                                
23       experiences between the consumer and the person making the report;                                                
24                 (2)  a communication of the information that is described in (1) of this                                
25       section or that is taken from a consumer's credit application if                                                  
26                      (A)  the communication is limited to internal communication                                        
27            within the organization of the person making the report; and                                                 
28                      (B)  the consumer is informed by a clear and conspicuous                                           
29            written disclosure that the information contained in the credit application may                              
30            be communicated as allowed under (A) of this paragraph, except that, if a                                    
31            credit application is taken by telephone, the consumer shall initially be                                    
01            informed orally when the application is taken, and a clear and conspicuous                                   
02            written disclosure shall be made to the consumer in the first written                                        
03            communication to the consumer after the application is taken;                                                
04                 (3)  a report containing information solely about a consumer's                                          
05       character, general reputation, personal characteristics, or mode of living and the                                
06       information is obtained through personal interviews with neighbors, friends, or                                   
07       associates of the consumer reported on, or others with whom the consumer is                                       
08       acquainted or who may have knowledge concerning those items of information; or                                    
09                 (4)  a consumer report furnished for use in connection with a                                           
10       transaction that consists of an extension of credit to be used solely for a commercial                            
11       purpose.                                                                                                          
12            Sec. 45.48.220. Exemptions. The provisions of AS 45.48.100 - 45.48.290 do                                  
13       not apply to the use of a consumer report by                                                                      
14                 (1)  a person, the person's subsidiary, affiliate, or agent, or the person's                            
15       assignee with whom a consumer has or, before the assignment, had an account,                                      
16       contract, or debtor-creditor relationship if the purpose of the use is to review the                              
17       consumer's account or to collect a financial obligation owing on the account, contract,                           
18       or debt;                                                                                                          
19                 (2)  a subsidiary, an affiliate, an agent, an assignee, or a prospective                                
20       assignee of a person to whom access has been granted under AS 45.48.130 if the                                    
21       purpose of the use is to facilitate the extension of credit or another permissible use;                           
22                 (3)  a person acting under a court order, warrant, or subpoena;                                         
23                 (4)  an agency of a state or municipality that administers a program for                                
24       establishing and enforcing child support obligations;                                                             
25                 (5)  the Department of Health and Social Services, its agents, or its                                   
26       assigns when investigating fraud;                                                                                 
27                 (6)  the Department of Revenue, its agents, or its assigns when                                         
28       investigating or collecting delinquent taxes or unpaid court orders or when                                       
29       implementing its other statutory responsibilities;                                                                
30                 (7)  a person if the purpose of the use is prescreening allowed under 15                                
31       U.S.C. 1681 - 1681w (Fair Credit Reporting Act);                                                                  
01                 (8)  a person administering a credit file monitoring subscription service                               
02       to which the consumer has subscribed;                                                                             
03                 (9)  a person providing a consumer with a copy of the consumer's                                        
04       consumer report at the consumer's request.                                                                        
05            Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290,                                                  
06                 (1)  "account review" means activities related to account maintenance,                                  
07       account monitoring, credit line increases, and account upgrades and enhancements;                                 
08                 (2)  "consumer" means an individual who is the subject of a consumer                                    
09       report;                                                                                                           
10                 (3)  "security freeze" means a prohibition against a consumer reporting                                 
11       agency from releasing all or a part of a consumer's consumer report or information                                
12       derived from the consumer report without the express authorization of the consumer;                               
13                 (4)  "third party" means a person who is not                                                            
14                      (A)  the consumer who is the subject of the consumer's                                             
15            consumer report; or                                                                                          
16                      (B)  the consumer reporting agency that is holding the                                             
17            consumer's consumer report.                                                                                  
18             Article 3. Consumer Credit Monitoring; Credit Accuracy.                                                   
19            Sec. 45.48.300. Required disclosure. A consumer reporting agency shall, if a                               
20       consumer makes the request and the request is not covered by the free disclosure                                  
21       provision of 15 U.S.C. 1681j(a) - (d) (Fair Credit Reporting Act), clearly and                                    
22       accurately disclose to the consumer the information described under AS 45.45.310.                                 
23            Sec. 45.48.310. Information to be disclosed. (a) The following information                                 
24       shall be disclosed under AS 45.45.300:                                                                            
25                 (1)  all information in the consumer's file when the consumer makes the                                 
26       request, except that this paragraph may not be construed to require a consumer                                    
27       reporting agency to disclose information concerning credit scores, risk scores, or other                          
28       predictors that are governed by 15 U.S.C. 1681g;                                                                  
29                 (2)  the sources of the information described in (1) of this subsection;                                
30                 (3)  an identification of each person, including each end user identified                               
31       under 15 U.S.C. 1681e, who procured a report on the consumer                                                      
01                      (A)  for employment purposes during the two-year period that                                       
02            precedes the date when the consumer's request is made; or                                                    
03                      (B)  for a purpose other than employment purposes during the                                       
04            one-year period that precedes the date when the consumer's request is made;                                  
05                 (4)  the dates, original payees, and amounts of any checks that                                         
06                      (A)  provide the basis for an adverse characterization of the                                      
07            consumer; and                                                                                                
08                      (B)  are included in the file when the disclosure is made or can                                   
09            be inferred from the file;                                                                                   
10                 (5)  a record of all inquiries that were received by the consumer                                       
11       reporting agency during the one-year period that precedes the request and that identify                           
12       the consumer in connection with a credit or insurance transaction that was not initiated                          
13       by the consumer; and                                                                                              
14                 (6)  a statement that the consumer may request and obtain a credit score                                
15       if the consumer requests the credit file and not the credit score.                                                
16            (b)  The information to be disclosed under (a)(3) of this section must include                               
17                 (1)  the name of the person or, if applicable, the full trade name under                                
18       which the person conducts business; and                                                                           
19                 (2)  the address and telephone number of the person if requested by the                                 
20       consumer.                                                                                                         
21            (c)  A consumer reporting agency is not required to disclose the information                                 
22       described in (a)(3) of this section if                                                                            
23                 (1)  the end user is an agency of the United States government and                                      
24       procures the consumer's consumer report from the consumer reporting agency to                                     
25       determine the eligibility of the consumer to receive access or continued access to                                
26       classified information; in this paragraph, "classified information" has the meaning                               
27       given in 15 U.S.C. 1681b; and                                                                                     
28                 (2)  the individual who is in charge of the end user makes a written                                    
29       finding as prescribed under 15 U.S.C. 1681b(b)(4)(A).                                                             
30            Sec. 45.48.320. Cost of disclosure. (a) A consumer reporting agency may                                    
31       impose a reasonable charge on a consumer for making a disclosure under                                            
01       AS 45.48.300. The charge may not exceed                                                                           
02                 (1)  $2 for each of the first 12 requests from the consumer in a calendar                               
03       year;                                                                                                             
04                 (2)  $8 for each request beyond the 12 requests covered by (1) of this                                  
05       subsection in a calendar year.                                                                                    
06            (b)  The consumer reporting agency shall disclose the charge to the consumer                                 
07       before making the disclosure under AS 45.48.300.                                                                  
08            Sec. 45.48.330. Form of disclosure. (a) A consumer may make the request                                    
09       under AS 45.48.300 in writing, in person, by telephone if the consumer has made a                                 
10       written request for the disclosure, by electronic means if the consumer reporting                                 
11       agency offers electronic access for any other purpose, or by any other reasonable                                 
12       means that is available from the consumer reporting agency.                                                       
13            (b)  To make a request in person under (a) of this section, the consumer shall,                              
14       after reasonable notice to the consumer reporting agency, appear during normal                                    
15       business hours at the consumer reporting agency's place of business where the                                     
16       consumer reporting agency normally provides disclosures under AS 45.48.300.                                       
17            Sec. 45.48.340. Timing of disclosure. A consumer reporting agency shall                                    
18       provide a consumer with the disclosure under AS 45.48.300 within                                                  
19                 (1)  24 hours after the date on which the request is made if the                                        
20       disclosure is made by electronic means under AS 45.48.330(a); or                                                  
21                 (2)  five days after the date on which the request is made if the                                       
22       disclosure is made in writing, in person, by telephone, or by any other reasonable                                
23       means that is available from the consumer reporting agency, except by electronic                                  
24       means.                                                                                                            
25            Sec. 45.48.350. Credit accuracy. (a) A person who does business in the state                               
26       by distributing information about an individual's credit history, score, or ranking shall,                        
27       when notified that the information that the person is distributing is inaccurate,                                 
28       immediately stop distributing the information until the accuracy of the information can                           
29       be verified or the inaccuracies in the information corrected.                                                     
30            (b)  If a person who does business in the state by distributing information about                            
31       an individual's credit history, score, or ranking releases information about an                                   
01       individual that is inaccurate, the person shall, as quickly as possible after discovering                         
02       that inaccurate information is being distributed,                                                                 
03                 (1)  repair, to the extent possible, the damage to the individual caused                                
04       by the release of the inaccurate information; and                                                                 
05                 (2)  pay fair and reasonable compensation to the individual for the                                     
06       damage caused to the individual by the release of the inaccurate information.                                     
07            (c)  If a person fails to comply with (b) of this section, an individual may bring                           
08       an action in court to compel the person to comply with (b) of this section.                                       
09            (d)  In this section, "does business in the state" means engages in activities that                          
10       provide at least the minimum contacts required by substantive due process for the state                           
11       to exercise jurisdiction over the person who is engaging in the activities.                                       
12                 Article 4. Protection of Social Security Number.                                                      
13            Sec. 45.48.400. Use of social security number. (a) A person may not, without                               
14       the consent of the individual,                                                                                    
15                 (1)  intentionally communicate or otherwise make available to the                                       
16       general public an individual's social security number;                                                            
17                 (2)  print an individual's social security number on a card required for                                
18       the individual to access products or services provided by the person;                                             
19                 (3)  require an individual to transmit the individual's social security                                 
20       number over the Internet unless the Internet connection is secure or the social security                          
21       number is encrypted;                                                                                              
22                 (4)  require an individual to use the individual's social security number                               
23       to access an Internet site unless a password, a unique personal identification number,                            
24       or another authentication device is also required in order to access the site;                                    
25                 (5)  print an individual's social security number on material that is                                   
26       mailed to the individual unless                                                                                   
27                      (A)  state or federal law requires the social security number to                                   
28            be on the material; or                                                                                       
29                      (B)  the social security number is included on an application or                                   
30            other form, including a document sent as a part of an application process or an                              
31            enrollment process, sent by mail to establish, amend, or terminate an account, a                             
01            contract, or a policy, or to confirm the accuracy of the social security number;                             
02            however, a social security number allowed to be mailed under this                                            
03            subparagraph may not be printed, in whole or in part, on a postcard or other                                 
04            mailer that does not require an envelope, or in a manner that makes the social                               
05            security number visible on the envelope or without the envelope being opened;                                
06                 (6)  refuse to do business with an individual because the individual                                    
07       does not consent to the receipt by the person of the social security number of the                                
08       individual, unless the person is expressly required by state or federal law, in                                   
09       connection with doing business with an individual, to collect or submit the individual's                          
10       social security number to the state or federal government; this paragraph does not                                
11       prohibit a person from asking for another form of identification from the individual.                             
12            (b)  A person may not sell, lease, loan, trade, rent, or otherwise disclose an                               
13       individual's social security number to a third party for any purpose without the                                  
14       individual's written consent.                                                                                     
15            Sec. 45.48.410. Penalties. (a) A person who knowingly violates AS 45.48.400                                
16       is liable to the state for a civil penalty not to exceed $3,000.                                                  
17            (b)  An individual may bring a civil action in court against a person who                                    
18       knowingly violates AS 45.48.400 and may recover actual damages or $5,000,                                         
19       whichever amount is greater, and court costs and attorney fees allowed by the rules of                            
20       court.                                                                                                            
21            (c)  A person who knowingly violates AS 45.48.400 is guilty of a class A                                     
22       misdemeanor.                                                                                                      
23            (d)  In this section, "knowingly" has the meaning given in AS 11.81.900.                                     
24                       Article 5. Disposal of Records.                                                                 
25            Sec. 45.48.500. Disposal of records. (a) A business shall take, in connection                              
26       with and after the disposal of the records, all reasonable measures necessary to protect                          
27       against unauthorized access to or use of the records of the business that contain                                 
28       personal information.                                                                                             
29            (b)  Notwithstanding (a) of this section, if a business has otherwise complied                               
30       with the provisions of AS 45.48.500 - 45.48.590 in the selection of a third party                                 
31       engaged in the business of record destruction, the business is not liable for the disposal                        
01       of records under AS 45.48.500 - 45.48.590 after the business has relinquished control                             
02       of the records to the third party for the destruction of the records.                                             
03            Sec. 45.48.510. Measures to protect access. The measures required to be                                    
04       taken under AS 45.48.500 include                                                                                  
05                 (1)  implementing and monitoring compliance with policies and                                           
06       procedures that require the burning, pulverizing, or shredding of paper documents                                 
07       containing personal information so that the personal information cannot practicably be                            
08       read or reconstructed;                                                                                            
09                 (2)  implementing and monitoring compliance with policies and                                           
10       procedures that require the destruction or erasure of electronic media and other                                  
11       nonpaper media containing personal information so that the personal information                                   
12       cannot practicably be read or reconstructed; and                                                                  
13                 (3)  after due diligence, entering into a written contract with a third                                 
14       party engaged in the business of record destruction to dispose of records containing                              
15       personal information in a manner consistent with AS 45.48.500 - 45.48.590.                                        
16            Sec. 45.48.520. Due diligence. In AS 45.48.510(3), due diligence ordinarily                                
17       includes performing one or more of the following:                                                                 
18                 (1)  reviewing an independent audit of the third party's operations and                                 
19       its compliance with AS 45.48.500 - 45.48.590;                                                                     
20                 (2)  obtaining information about the third party from several references                                
21       or other reliable sources and requiring that the third party be certified by a recognized                         
22       trade association or similar organization with a reputation for high standards of quality                         
23       review;                                                                                                           
24                 (3)  reviewing and evaluating the third party's information security                                    
25       policies and procedures, or taking other appropriate measures to determine the                                    
26       competency and integrity of the third party.                                                                      
27            Sec. 45.48.530. Business policy and procedures. A business shall                                           
28       comprehensively describe and classify as the business's official policy in the writings                           
29       of the business the policies and procedures that relate to the adequate destruction and                           
30       proper disposal of personal records. In this section, "writings" includes corporate                               
31       handbooks, employee handbooks, and similar corporate documents.                                                   
01            Sec. 45.48.540. Civil penalty. An individual or a business that knowingly                                  
02       violates AS 45.48.500 - 45.48.590 is liable to the state for a civil penalty not to exceed                        
03       $3,000. In this section, "knowingly" has the meaning given in AS 11.81.900.                                       
04            Sec. 45.48.550. Court action. An individual who is damaged by a violation of                               
05       AS 45.48.500 - 45.48.590 may bring a civil action in court to enjoin further violations                           
06       and to recover damages for the violation and court costs and attorney fees allowed by                             
07       the rules of court.                                                                                               
08            Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590,                                                  
09                 (1)  "business" means a person who conducts business in the state or a                                  
10       person who conducts business and maintains or otherwise possesses personal                                        
11       information on state residents; in this paragraph,                                                                
12                      (A)  "conducts business" includes engaging in activities as a                                      
13            financial institution organized, chartered, or holding a license or authorization                            
14            certificate under the laws of this state, another state, the United States, or                               
15            another country;                                                                                             
16                      (B)  "possesses" includes possession for the purpose of                                            
17            destruction;                                                                                                 
18                 (2)  "dispose" means                                                                                    
19                      (A)  the discarding or abandonment of records containing                                           
20            personal information;                                                                                        
21                      (B)  the sale, donation, discarding, or transfer of                                                
22                           (i)  any medium, including computer equipment or                                              
23                 computer media, that contains records of personal information;                                          
24                           (ii)  nonpaper media, other than that identified under (i)                                    
25                 of this subparagraph, on which records of personal information are                                      
26                 stored; and                                                                                             
27                           (iii)  equipment for nonpaper storage of information;                                         
28                 (3)  "personal information" means information that identifies, relates to,                              
29       describes, or is capable of being associated with a particular individual, and includes a                         
30       name, signature, social security number, fingerprint, photograph, computerized image,                             
31       physical characteristic, physical description, address, telephone number, passport                                
01       number, driver's license, state identification number, date of birth, medical                                     
02       information, bank account number, credit card number, debit card number, and                                      
03       financial information;                                                                                            
04                 (4)  "records" means material on which information that is written,                                     
05       drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of                                 
06       physical form or characteristics, but does not include publicly available directories                             
07       containing names, addresses, telephone numbers, or other information an individual                                
08       has voluntarily consented to have publicly disseminated or listed.                                                
09    Article 6. Factual Declaration of Innocence after Identity Theft; Right to File Police                             
10                      Report Regarding Identity Theft.                                                                 
11            Sec. 45.48.600. Factual declaration of innocence after identity theft. (a) A                               
12       victim of identity theft may petition the superior court for a determination that the                             
13       victim is factually innocent of a crime if                                                                        
14                 (1)  the perpetrator of the identity theft was arrested for, cited for, or                              
15       convicted of the crime using the victim's identity;                                                               
16                 (2)  a criminal complaint has been filed against the perpetrator in the                                 
17       victim's name; or                                                                                                 
18                 (3)  the victim's identity has been mistakenly associated with a record                                 
19       of a conviction for a crime.                                                                                      
20            (b)  In addition to a petition by a victim under (a) of this section, the                                    
21       department may petition the superior court for a determination under (a) of this                                  
22       section, or the superior court may, on its own motion, make a determination under (a)                             
23       of this section.                                                                                                  
24            Sec. 45.48.610. Basis for determination. A determination of factual                                        
25       innocence under AS 45.48.600 may be heard and made on declarations, affidavits,                                   
26       police reports, or other material, relevant, and reliable information submitted by the                            
27       parties or ordered to be made a part of the record by the court.                                                  
28            Sec. 45.48.620. Criteria for determination; court order. (a) A court shall                                 
29       determine that a victim is factually innocent of a crime if the court finds that the                              
30       petition or motion brought under AS 45.48.600 is meritorious and that                                             
31                 (1)  there is not a reasonable cause to believe that the victim committed                               
01       the crime for which the perpetrator of the identity theft was arrested, cited, convicted,                         
02       or subject to a criminal complaint in the victim's name; or                                                       
03                 (2)  the victim's identity has been mistakenly associated with a record                                 
04       of a conviction of a crime.                                                                                       
05            (b)  If a court finds under this section that the victim is factually innocent of a                          
06       crime, the court shall issue an order indicating this determination of factual innocence                          
07       and shall provide the victim with a copy of the order.                                                            
08            Sec. 45.48.630. Orders regarding records. After a court issues an order under                              
09       AS 45.48.620, the court may order the name and associated personal information of                                 
10       the victim that is contained in the files, indexes, and other records of the court that are                       
11       accessible by the public deleted, sealed, or labeled to show that the name and personal                           
12       information is impersonated and does not reflect the defendant's identity.                                        
13            Sec. 45.48.640. Vacation of determination. A court that has issued an order                                
14       under AS 45.48.620 may, at any time, vacate the order if the petition or motion, or any                           
15       information submitted in support of the petition or motion, is found to contain a                                 
16       material misrepresentation or fraudulent material.                                                                
17            Sec. 45.48.650. Court form. The supreme court of the state may develop a                                   
18       form to be used for the order under AS 45.48.620.                                                                 
19            Sec. 45.48.660. Data base. The department may establish and maintain a data                                
20       base of individuals who have been victims of identity theft and who have received an                              
21       order under AS 45.48.620. The department shall provide a victim or the victim's                                   
22       authorized representative access to a data base established under this section in order                           
23       to establish that the individual has been a victim of identity theft. Access to the a data                        
24       base established under this section is limited to criminal justice agencies, victims of                           
25       identity theft, and individuals and agencies authorized by the victims.                                           
26            Sec. 45.48.670. Toll-free telephone number. The department may establish                                   
27       and maintain a toll-free telephone number to provide access to information in a data                              
28       base established under AS 45.48.660.                                                                              
29            Sec. 45.48.680. Right to file police report regarding identity theft. (a) Even                             
30       if the local law enforcement agency does not have jurisdiction over the theft of an                               
31       individual's identity, if an individual who has learned or reasonably suspects the                                
01       individual has been the victim of identity theft contacts, for the purpose of filing a                            
02       complaint, a local law enforcement agency that has jurisdiction over the individual's                             
03       actual place of residence, the local law enforcement agency shall make a report of the                            
04       matter and provide the individual with a copy of the report. The local law enforcement                            
05       agency may refer the matter to a law enforcement agency in a different jurisdiction.                              
06            (b)  This section is not intended to interfere with the discretion of a local law                            
07       enforcement agency to allocate its resources to the investigation of crime. A local law                           
08       enforcement agency is not required to count a complaint filed under (a) of this section                           
09       as an open case for purposes that include compiling statistics on its open cases.                                 
10            Sec. 45.48.690. Definitions. In AS 45.48.600 - 45.48.690,                                                  
11                 (1)  "crime" has the meaning given in AS 11.81.900;                                                     
12                 (2)  "department" means the Department of Law;                                                          
13                 (3)  "identity theft" means the theft of the identity of an individual;                                 
14                 (4)  "perpetrator" means the person who perpetrated the theft of an                                     
15       individual's identity;                                                                                            
16                 (5)  "victim" means an individual who is the victim of identity theft.                                  
17                Article 7. Consumer Credit Header Information.                                                         
18            Sec. 45.48.800. Consumer credit header information. (a) A consumer                                         
19       reporting agency may not furnish by a written, an oral, or another method of                                      
20       communication a consumer's credit header information to a person unless the person                                
21       has a permissible purpose under 15 U.S.C. 1681b (Fair Credit Protection Act) to                                   
22       obtain the consumer's consumer report.                                                                            
23            (b)  In this section, "credit header information" means the social security                                  
24       number of a consumer, or a derivative of the social security number, the maiden name                              
25       of the mother of the consumer, the birth date of the consumer, and other personally                               
26       identifiable information of a consumer that is derived from nonpublic personal                                    
27       information, except the name, address, and telephone number of the consumer listed in                             
28       a residential telephone directory available in the locality of the consumer.                                      
29                  Article 8. Truncation of Card Information.                                                           
30            Sec. 45.48.850. Truncation of card information. (a) A person who accepts                                   
31       credit cards or debit cards for the transaction of business may not print more than the                           
01       last five digits of the card number or the expiration date on any receipt provided to the                         
02       cardholder at the point of the sale or transaction.                                                               
03            (b)  This section applies only to receipts that are electronically printed and does                          
04       not apply to transactions in which the sole means of recording a credit card or debit                             
05       card account number is by handwriting or by an imprint or copy of the card.                                       
06            (c)  An individual may bring a civil action in court against a person who                                    
07       knowingly violates this section and may recover actual damages or $5,000, whichever                               
08       is greater, and court costs and attorney fees allowed by the rules of court.                                      
09            (d)  A person who knowingly violates this section is liable to the state for a                               
10       civil penalty not to exceed $3,000.                                                                               
11            (e)  A person who knowingly violates this section is guilty of a class A                                     
12       misdemeanor.                                                                                                      
13            (f)  In this section,                                                                                        
14                 (1)  "credit" means the right granted by a creditor to a debtor to defer                                
15       payment of debt, to incur debts and defer payment of the debt, or to purchase property                            
16       or services and defer payment of the purchase;in this paragraph, "creditor" means a                              
17       person who regularly extends, renews, or continues credit, a person who regularly                                 
18       arranges for the extension, renewal, or continuation of credit, or an assignee of an                              
19       original creditor who participates in the decision to extend, renew, or continue credit;                          
20                 (2)  "credit card" means a card, plate, coupon book, or other credit                                    
21       device existing for the purpose of obtaining money, property, labor, or services on                               
22       credit;                                                                                                           
23                 (3)  "debit card" means a card issued by a financial institution to a                                   
24       consumer for use in initiating an electronic fund transfer from the account of the                                
25       consumer at the financial institution for the purpose of transferring money between                               
26       accounts or obtaining money, property, labor, or services;                                                        
27                 (4)  "knowingly" has the meaning given in AS 11.81.900.                                                 
28                       Article 9. General Provisions.                                                                  
29            Sec. 45.48.900. Relationship to federal law. If a provision of this chapter is                             
30       preempted by federal law in a particular situation, the provision does not apply to the                           
31       extent of the preemption.                                                                                         
01            Sec. 45.48.990. Definitions. In this chapter, unless the context indicates                                 
02       otherwise,                                                                                                        
03                 (1)  "consumer" means an individual;                                                                    
04                 (2)  "consumer report" means a written, oral, or other communication                                    
05       of information by a consumer reporting agency bearing on a consumer's credit                                      
06       worthiness, credit standing, credit capacity, character, general reputation, personal                             
07       characteristics, or mode of living if the communication is used or expected to be used                            
08       or collected in whole or in part to serve as a factor in establishing the consumer's                              
09       eligibility for                                                                                                   
10                      (A)  credit or insurance to be used primarily for personal,                                        
11            family, or household purposes;                                                                               
12                      (B)  employment purposes; or                                                                       
13                      (C)  any other permissible purpose authorized under section 15                                     
14            U.S.C. 1681b;                                                                                                
15                 (3)  "consumer reporting agency" means a person who, for monetary                                       
16       fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in                         
17       the practice of assembling or evaluating consumer credit information or other                                     
18       information on consumers for the purpose of furnishing consumer reports to third                                  
19       parties;                                                                                                          
20                 (4)  "person" has the meaning given in AS 01.10.060 and includes a                                      
21       state or local governmental agency, except for an agency of the judicial branch;                                  
22                 (5)  "state resident" means an individual who satisfies the residency                                   
23       requirements under AS 01.10.055.                                                                                  
24            Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal                              
25       Information Protection Act.                                                                                       
26    * Sec. 2. The uncodified law of the State of Alaska is amended by adding a new section to                          
27 read:                                                                                                                   
28       INDIRECT COURT RULE AMENDMENT. AS 45.48.640, enacted by sec. 1 of this                                            
29 Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing a                              
30 court to vacate an order on its own motion and at any time and by establishing a specific                               
31 criterion for vacating the order under AS 45.48.640.                                                                    
01    * Sec. 3. The uncodified law of the State of Alaska is amended by adding a new section to                          
02 read:                                                                                                                   
03       TRANSITION: IMPLEMENTATION. A person to whom AS 45.48.400 and                                                     
04 45.48.410, enacted by sec. 1 of this Act, apply shall make reasonable efforts to cooperate,                             
05 through systems testing and other means, to ensure that the requirements of AS 45.48.400 and                            
06 45.48.410 are implemented on or before the effective date of AS 45.48.400 and 45.48.410.