Alaska State Legislature

Home
Bill & Laws
Bills
CSHB 65(FIN) Detail
FullText

txt

CSHB 65(FIN): "An Act relating to breaches of security involving personal information, credit report and credit score security freezes, protection of social security numbers, care of records, disposal of records, identity theft, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amending Rules 60 and 82, Alaska Rules of Civil Procedure; and providing for an effective date."

00 CS FOR HOUSE BILL NO. 65(FIN) 01 "An Act relating to breaches of security involving personal information, credit report 02 and credit score security freezes, protection of social security numbers, care of records, 03 disposal of records, identity theft, credit cards, and debit cards, and to the jurisdiction of 04 the office of administrative hearings; amending Rules 60 and 82, Alaska Rules of Civil 05 Procedure; and providing for an effective date." 06 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF ALASKA: 07 * Section 1. AS 40.21.110 is amended to read: 08 Sec. 40.21.110. Care of records. Except for public records lawfully in the 09 possession of a person other than the state, public records of existing or defunct 10 agencies of the state, territorial, and Russian governments in Alaska are the property 11 of the state and shall be created, maintained, preserved, stored, transferred, destroyed 12 or disposed of, and otherwise managed in accordance with the provisions of this 13 chapter and AS 45.48.500 - 45.48.530. Records shall be delivered by outgoing

01 officials and employees to their successors, and may not be removed, destroyed or 02 disposed of, except as provided in this chapter and AS 45.48.500 - 45.48.530. 03 * Sec. 2. AS 44.64.030(a) is amended by adding a new paragraph to read: 04 (40) AS 45.48.080(c) (breach of security involving personal 05 information). 06 * Sec. 3. AS 45 is amended by adding a new chapter to read: 07 Chapter 48. Personal Information Protection Act. 08 Article 1. Breach of Security Involving Personal Information. 09 Sec. 45.48.010. Disclosure of breach of security. (a) If a covered person owns 10 or licenses personal information in any form that includes personal information on a 11 state resident, and a breach of the security of the information system that contains 12 personal information occurs, the covered person shall, after discovering or being 13 notified of the breach, disclose the breach to each state resident whose personal 14 information was subject to the breach. 15 (b) An information collector shall make the disclosure required by (a) of this 16 section in the most expeditious time possible and without unreasonable delay, except 17 as provided in AS 45.48.020 and as necessary to determine the scope of the breach and 18 restore the reasonable integrity of the information system. 19 (c) Notwithstanding (a) of this section, disclosure is not required if, after an 20 appropriate investigation or after consultation with relevant federal, state, or local 21 agencies responsible for law enforcement, the covered person determines that there is 22 not a reasonable likelihood that harm to the consumers whose personal information 23 has been acquired has resulted or will result from the breach. The determination shall 24 be documented in writing and the documentation shall be maintained for five years. 25 Sec. 45.48.020. Allowable delay in notification. An information collector 26 may delay disclosing the breach under AS 45.48.010 if an appropriate law 27 enforcement agency determines that disclosing the breach will interfere with a 28 criminal investigation. However, the information collector shall disclose the breach to 29 the state resident in the most expeditious time possible and without unreasonable delay 30 after the law enforcement agency informs the information collector in writing that 31 disclosure of the breach will no longer interfere with the investigation.

01 Sec. 45.48.030. Methods of notice. An information collector shall make the 02 disclosure required by AS 45.48.010 03 (1) by a written document sent to the most recent address the 04 information collector has for the state resident; 05 (2) by electronic means if making the disclosure by the electronic 06 means is consistent with the provisions regarding electronic records and signatures 07 required for notices legally required to be in writing under 15 U.S.C. 7001 et seq. 08 (Electronic Signatures in Global and National Commerce Act); or 09 (3) if the information collector demonstrates that the cost of providing 10 notice would exceed $150,000, that the affected class of state residents to be notified 11 exceeds 300,000, or that the information collector does not have sufficient contact 12 information to provide notice, by 13 (A) electronic mail if the information collector has an 14 electronic mail address for the state resident; 15 (B) conspicuously posting the disclosure on the Internet 16 website of the information collector if the information collector maintains an 17 Internet site; and 18 (C) providing a notice to major statewide media. 19 Sec. 45.48.040. Notification of certain other agencies. (a) If an information 20 collector is required by AS 45.48.010 to notify more than 1,000 state residents of a 21 breach, the information collector shall also notify without unreasonable delay all 22 consumer credit reporting agencies that compile and maintain files on consumers on a 23 nationwide basis and provide the agencies with the timing, distribution, and content of 24 the notices. 25 (b) This section may not be construed to require the information collector to 26 provide the consumer reporting agencies identified under (a) of this section with the 27 names or other personal information of the state residents whose personal information 28 was subject to the breach. 29 (c) This section does not apply to an information collector who is subject to 15 30 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Financial Modernization Act). 31 (d) In this section, "consumer reporting agency that compiles and maintains

01 files on consumers on a nationwide basis" has the meaning given in 15 U.S.C. 02 1681a(p). 03 Sec. 45.48.050. Exception for employees and agents. In AS 45.48.010 - 04 45.48.090, the good faith acquisition of personal information by an employee or agent 05 of an information collector for a legitimate purpose of the information collector is not 06 a breach of the security of the information system if the employee or agent does not 07 use the personal information for a purpose unrelated to a legitimate purpose of the 08 information collector and does not make further unauthorized disclosure of the 09 personal information. 10 Sec. 45.48.060. Waivers. A waiver of AS 45.48.010 - 45.48.090 is void and 11 unenforceable. 12 Sec. 45.48.070. Treatment of certain breaches. (a) If a breach of the security 13 of the information system containing personal information on a state resident that is 14 maintained by an information recipient occurs, the information recipient is not 15 required to comply with AS 45.48.010 - 45.48.030. However, immediately after the 16 information recipient discovers the breach, the information recipient shall notify the 17 information distributor who owns the personal information or who licensed the use of 18 the personal information to the information recipient about the breach and cooperate 19 with the information distributor as necessary to allow the information distributor to 20 comply with (b) of this section. In this subsection, "cooperate" means sharing with the 21 information distributor information relevant to the breach, except for confidential 22 business information or trade secrets. 23 (b) If an information recipient notifies an information distributor of a breach 24 under (a) of this section, the information distributor shall comply with AS 45.48.010 - 25 45.48.030 as if the breach occurred to the information system maintained by the 26 information distributor. 27 Sec. 45.48.080. Violations. (a) If an information collector who is a 28 governmental agency violates AS 45.48.010 - 45.48.090 with regard to the personal 29 information of a state resident, the information collector 30 (1) is liable to the state for a civil penalty of up to $500 for each state 31 resident who was not notified under AS 45.48.010 - 45.48.090, but the total civil

01 penalty may not exceed $50,000; and 02 (2) may be enjoined from further violations. 03 (b) If an information collector who is not a governmental agency violates 04 AS 45.48.010 - 45.48.090 with regard to the personal information of a state resident, 05 the violation is an unfair or deceptive act or practice under AS 45.50.471 - 45.50.561. 06 However, 07 (1) the information collector is not subject to the civil penalties 08 imposed under AS 45.50.551 but is liable to the state for a civil penalty of up to $500 09 for each state resident who was not notified under AS 45.48.010 - 45.48.090, except 10 that the total civil penalty may not exceed $50,000; and 11 (2) damages that may be awarded against the information collector 12 under 13 (A) AS 45.50.531 are limited to actual economic damages that 14 do not exceed $500; and 15 (B) AS 45.50.537 are limited to actual economic damages. 16 (c) The Department of Administration may enforce (a) of this section against a 17 governmental agency. The procedure for review of an order or action of the 18 department under this subsection is the same as the procedure provided by AS 44.62 19 (Administrative Procedure Act), except that the office of administrative hearings 20 (AS 44.64.010) shall conduct the hearings in contested cases and the decision may be 21 appealed under AS 44.64.030(c). 22 Sec. 45.48.090. Definitions. In AS 45.48.010 - 45.48.090, 23 (1) "breach of the security" means unauthorized acquisition, or 24 reasonable belief of unauthorized acquisition, of personal information that 25 compromises the security, confidentiality, or integrity of the personal information 26 maintained by the information collector; in this paragraph, "acquisition" includes 27 acquisition by 28 (A) photocopying, facsimile, or other paper-based method; 29 (B) a device, including a computer, that can read, write, or 30 store information that is represented in numerical form; or 31 (C) a method not identified by (A) or (B) of this paragraph;

01 (2) "covered person" means a 02 (A) person doing business; 03 (B) a governmental agency; or 04 (C) a person with more than 10 employees; 05 (3) "governmental agency" means a state or local governmental 06 agency, except for an agency of the judicial branch; 07 (4) "information collector" means a covered person who owns or 08 licenses personal information in any form if the personal information includes 09 personal information on a state resident; 10 (5) "information distributor" means a person who is an information 11 collector and who owns or licenses personal information to an information recipient; 12 (6) "information recipient" means a person who is an information 13 collector but who does not own or have the right to license to another information 14 collector the personal information received by the person from an information 15 distributor; 16 (7) "personal information" means information in any form on an 17 individual that is not encrypted or redacted, or is encrypted and the encryption key has 18 been accessed or acquired, and that consists of a combination of 19 (A) an individual's name; in this subparagraph, "individual's 20 name" means a combination of an individual's 21 (i) first name or first initial; and 22 (ii) last name; and 23 (B) one or more of the following information elements: 24 (i) the individual's social security number; 25 (ii) the individual's driver's license number or state 26 identification card number; 27 (iii) except as provided in (iv) of this subparagraph, the 28 individual's account number, credit card number, or debit card number; 29 (iv) if an account can only be accessed with a personal 30 code, the number in (iii) of this subparagraph and the personal code; in 31 this sub-subparagraph, "personal code" means a security code, an

01 access code, a personal identification number, or a password; 02 (v) passwords, personal identification numbers, or other 03 access codes for financial accounts. 04 Article 2. Credit Report and Credit Score Security Freeze. 05 Sec. 45.48.100. Security freeze authorized. A consumer may prohibit a 06 consumer credit reporting agency from releasing all or a part of the consumer's credit 07 report or credit score without the express authorization of the consumer by placing a 08 security freeze on the consumer's credit report. 09 Sec. 45.48.110. Placement of security freeze. (a) To place a security freeze, a 10 consumer shall make the request to the consumer credit reporting agency 11 (1) by mail to the address designated by the consumer credit reporting 12 agency to receive security freeze requests; or 13 (2) as allowed by (b) of this section. 14 (b) A consumer may make a request under (a) of this section by telephone or 15 by fax, the Internet, or other electronic media if the consumer credit reporting agency 16 has developed procedures for using the telephone or an electronic medium to receive 17 and process the request in an expedited manner. 18 (c) A consumer credit reporting agency shall place a security freeze within 19 five business days after receiving a request under (a) or (b) of this section and proper 20 identification from the consumer. 21 Sec. 45.48.120. Confirmation of security freeze. (a) Within 10 business days 22 after a consumer makes the request under AS 45.48.110, a consumer credit reporting 23 agency shall send a written confirmation of the placement of the security freeze to the 24 consumer. The confirmation must also inform the consumer that the consumer credit 25 reporting agency may charge, as allowed by AS 45.48.160(c), a fee for third-party 26 access during the security freeze. 27 (b) At the same time that the consumer credit reporting agency sends a 28 confirmation under (a) of this section, the consumer credit reporting agency shall 29 provide the consumer with a unique personal identification number, password, or 30 similar device to be used by the consumer when the consumer authorizes the release of 31 the consumer's credit report or credit score under AS 45.48.130.

01 Sec. 45.48.130. Access and actions during security freeze. (a) While a 02 security freeze is in place, a consumer credit reporting agency shall allow a third party 03 access to a consumer's credit report or credit score if the consumer requests that the 04 consumer credit reporting agency allow the access. 05 (b) To make a request under (a) of this section, the consumer shall contact the 06 consumer credit reporting agency by mail at the address designated by the consumer 07 credit reporting agency to receive security freeze requests or as allowed by (c) of this 08 section, authorize the consumer credit reporting agency to allow the access, and 09 provide the consumer credit reporting agency with 10 (1) proper identification to verify the consumer's identity; 11 (2) the unique personal identification number, password, or similar 12 device provided under AS 45.48.120(b); and 13 (3) the proper information necessary to identify the third party to 14 whom the consumer credit reporting agency may allow the access or the time period 15 during which the consumer credit reporting agency may allow the access to third 16 parties who request the access. 17 (c) In addition to making the request by mail, a consumer may make a request 18 under (a) of this section by telephone or by fax, the Internet, or other electronic media 19 if the consumer credit reporting agency has developed procedures for using the 20 telephone or an electronic medium to receive and process the request in an expedited 21 manner. 22 (d) A consumer credit reporting agency that receives a request from a 23 consumer under (b) or (c) of this section shall comply with the request within 15 24 minutes after receiving the request by telephone or by an electronic medium or within 25 three business days after receiving the request by mail. 26 (e) If a security freeze is in place, a consumer credit reporting agency may not 27 release the credit report or credit score to a third party without the prior express 28 authorization of the consumer. 29 (f) If a security freeze is in place on a consumer's credit report and credit score 30 and if a third party applies to a consumer credit reporting agency to provide the third 31 party with access to the consumer's credit report or credit score, the consumer credit

01 reporting agency and, except as provided for insurers under (g) of this section, the 02 third party may treat the third party's application as incomplete unless the consumer 03 authorizes the access under (a) of this section. 04 (g) If an insurer requests access to a consumer's credit report and credit score 05 on which a security freeze is in place, unless the consumer authorizes access under (a) 06 of this section, the insurer may, notwithstanding AS 21.36.460, 07 (1) treat the consumer's application as incomplete; 08 (2) decline the consumer's application if the consumer does not lift the 09 security freeze for the insurer after a request by the insurer or the insurer's agent; 10 (3) treat the consumer as if the consumer has a neutral credit rating; 11 (4) exclude the use of credit information as a factor and use only 12 underwriting criteria; or 13 (5) treat the consumer in a manner that is otherwise approved by the 14 division of insurance. 15 (h) If a security freeze is in place, a consumer credit reporting agency may not 16 change the consumer's official information in the consumer's credit report and credit 17 score without sending a written statement of the change to the consumer within 30 18 days after the change is made. A consumer credit reporting agency is not required to 19 send a written statement if the consumer credit reporting agency makes a technical 20 change in the consumer's official information. If a consumer credit reporting agency 21 makes a change, other than a technical change, in a consumer's address, the consumer 22 credit reporting agency shall send the written statement to the consumer at both the 23 new address and the former address. In this subsection, 24 (1) "official information" means name, birth date, social security 25 number, and address; 26 (2) "technical change" means changing spelling, transposing numbers 27 or letters, abbreviating a word, or spelling out an abbreviation. 28 (i) This section is not intended to prevent a consumer credit reporting agency 29 from advising a third party that requests access to a consumer's credit report or credit 30 score that a security freeze is in effect. 31 (j) The procedures used by a consumer credit reporting agency for

01 implementing the provisions of this section may include the use of telephone, 02 facsimile, or electronic means if making the disclosure by the electronic means is 03 consistent with the provisions regarding electronic records and signatures required for 04 notices legally required to be in writing under 15 U.S.C. 7001 et seq. (Electronic 05 Signatures in Global and National Commerce Act). 06 Sec. 45.48.140. Removal of security freeze. (a) Except as provided by 07 AS 45.48.130, a consumer credit reporting agency may not remove a security freeze 08 unless 09 (1) the consumer requests that the consumer credit reporting agency 10 remove the security freeze under (b) of this section; or 11 (2) the consumer made a material misrepresentation of fact to the 12 consumer credit reporting agency when the consumer requested the security freeze 13 under AS 45.48.110; if a consumer credit reporting agency intends to remove a 14 security freeze on a consumer's credit report under this paragraph, the consumer credit 15 reporting agency shall notify the consumer in writing before removing the security 16 freeze. 17 (b) A consumer credit reporting agency shall remove a security freeze within 18 three days after receiving a request for removal from the consumer who requested the 19 security freeze. 20 (c) To make a request under (b) of this section, the consumer shall contact the 21 consumer credit reporting agency by mail or as allowed by (d) of this section, 22 authorize the consumer credit reporting agency to remove the security freeze, and 23 provide the consumer credit reporting agency with 24 (1) proper identification to verify the consumer's identity; and 25 (2) the unique personal identification number, password, or similar 26 device provided under AS 45.48.120(b). 27 (d) In addition to mail, a consumer may make a request under (b) of this 28 section by telephone or by fax, the Internet, or other electronic media if the consumer 29 credit reporting agency has developed procedures for using the telephone or an 30 electronic medium to receive and process the request in an expedited manner. 31 Sec. 45.48.150. Prohibition. When dealing with a third party, a consumer

01 credit reporting agency may not suggest, state, or imply that a consumer's security 02 freeze reflects a negative credit score, history, report, or rating. 03 Sec. 45.48.160. Charges. (a) Except as provided by (b), (c), or (d) of this 04 section, a consumer credit reporting agency may not charge a consumer to place or 05 remove a security freeze, to provide access under AS 45.48.130, or to take any other 06 action, including the issuance of a personal identification number, password, or similar 07 device under AS 45.48.120, that is related to the placement of, removal of, or allowing 08 access to a credit report or credit score on which a security freeze has been placed. 09 (b) A consumer credit reporting agency may charge a consumer $10 for 10 placing a security freeze. 11 (c) If a consumer makes more than two access requests during a calendar year, 12 a consumer credit reporting agency may charge the consumer $2 for each additional 13 access request made by the consumer during that calendar year. In this subsection, 14 "access request" means a request made by the consumer under AS 45.48.130 to allow 15 third-party access to the consumer's credit report or credit score on which a security 16 freeze has been placed. 17 (d) If a consumer fails to retain a personal identification number, password, or 18 similar device issued under AS 45.48.120, a consumer credit reporting agency may 19 charge the consumer up to $5 for each time after the first time that the consumer credit 20 reporting agency issues the consumer another personal identification number, 21 password, or similar device because the consumer failed to retain the personal 22 identification number, password, or similar device. 23 Sec. 45.48.170. Notice of rights. When a consumer credit reporting agency is 24 required to give a consumer a summary of rights under 15 U.S.C. 1681g (Fair Credit 25 Reporting Act), a consumer credit reporting agency shall also give the consumer the 26 following notice: 27 Consumers Have the Right to Obtain a Security Freeze 28 You may obtain a security freeze on your credit report and 29 credit score for $10 to protect your privacy and ensure that credit is not 30 granted in your name without your knowledge. You have a right to 31 place a "security freeze" on your credit report and credit score under

01 state law (AS 45.48.100 - 45.48.290). 02 The security freeze will prohibit a consumer credit reporting 03 agency from releasing your credit score and any information in your 04 credit report without your express authorization or approval. 05 The security freeze is designed to prevent credit, loans, and 06 other services from being approved in your name without your consent. 07 However, you should be aware that using a security freeze to take 08 control over who gets access to the personal and financial information 09 in your credit report and credit score may delay, interfere with, or 10 prohibit the timely approval of any subsequent request or application 11 you make regarding a new loan, credit, a mortgage, a governmental 12 service, a governmental payment, a cellular telephone, a utility, an 13 Internet credit card application, an extension of credit at point of sale, 14 and other items and services. 15 When you place a security freeze on your credit report and 16 credit score, within 10 business days you will be provided a personal 17 identification number, password, or similar device to use if you choose 18 to remove the freeze on your credit report and credit score or to 19 temporarily authorize the release of your credit report and credit score 20 to a specific third party or specific third parties or for a specific period 21 of time after the freeze is in place. To provide that authorization, you 22 must contact the consumer credit reporting agency and provide all of 23 the following: 24 (1) proper identification to verify your identity; 25 (2) the personal identification number, password, or 26 similar device provided by the consumer credit reporting agency; 27 (3) proper information necessary to identify the third 28 party or third parties who are authorized to receive the credit report and 29 credit score or the specific period of time for which the credit report 30 and credit score are to be available to third parties. 31 A consumer credit reporting agency that receives your request

01 to temporarily lift a freeze on a credit report and credit score is required 02 to comply with the request within 15 minutes after receiving your 03 request if you make the request by telephone, or an electronic method if 04 the agency provides an electronic method, or within three business days 05 after receiving your request if you make the request by mail. After the 06 first two requests in a year, the consumer credit reporting agency may 07 charge you $2 to temporarily lift the freeze. 08 A security freeze does not apply to circumstances where you 09 have an existing account relationship and a copy of your credit report 10 and credit score are requested by your existing creditor or its agents or 11 affiliates for certain types of account review, collection, fraud control, 12 or similar activities. 13 If you are actively seeking credit, you should understand that 14 the procedures involved in lifting a security freeze may slow your own 15 applications for credit. You should plan ahead and lift a freeze, either 16 completely if you are shopping around, or specifically for a certain 17 creditor, days before applying for new credit. 18 You have a right to bring a civil action against someone who 19 violates your rights under these laws on security freezes. The action can 20 be brought against a consumer credit reporting agency. 21 Sec. 45.48.180. Notification after violation. If a consumer credit reporting 22 agency violates a security freeze by releasing a consumer's credit report or credit 23 score, the consumer credit reporting agency shall notify the consumer within five 24 business days after discovering or being notified of the release, and the information in 25 the notice must include an identification of the information released and of the third 26 party who received the information. 27 Sec. 45.48.190. Resellers. A consumer credit reporting agency that acts as a 28 reseller of consumer information shall honor a security freeze placed on a consumer's 29 credit report and credit score by another consumer credit reporting agency. 30 Sec. 45.48.200. Violations and penalties. (a) A consumer who suffers 31 damages as a result of a person's violation of AS 45.48.100 - 45.48.290 may bring an

01 action in court against the person and recover, in the case of a violation where the 02 person acted 03 (1) negligently, actual economic damages, court costs allowed by the 04 rules of court, and full reasonable attorney fees; 05 (2) knowingly, 06 (A) damages as described in (1) of this subsection; 07 (B) punitive damages that are not less than $100 nor more than 08 $5,000 for each violation as the court determines to be appropriate; and 09 (C) other relief that the court determines to be appropriate. 10 (b) A consumer may bring an action in court against a person for a violation or 11 threatened violation of AS 45.48.100 - 45.48.290 for injunctive relief, whether or 12 not the consumer seeks another remedy under this section. 13 (c) Notwithstanding (a)(2) of this section, a person who knowingly violates 14 AS 45.48.100 - 45.48.290 is liable in a class action for an amount that the court 15 allows. When determining the amount of an award in a class action under this 16 subsection, the court shall consider, among the relevant factors, the amount of any 17 actual damages awarded, the frequency of the violations, the resources of the violator, 18 and the number of consumers adversely affected. 19 (d) In this section, "knowingly" has the meaning given in AS 11.81.900. 20 Sec. 45.48.210. Exemptions. (a) The provisions of AS 45.48.100 - 45.48.290 21 do not apply to the use of a credit report by 22 (1) a person, the person's subsidiary, affiliate, or agent, or the person's 23 assignee with whom a consumer has or, before the assignment, had an account, 24 contract, or debtor-creditor relationship if the purpose of the use is to review the 25 consumer's account or to collect a financial obligation owing on the account, contract, 26 or debt; 27 (2) a subsidiary, an affiliate, an agent, an assignee, or a prospective 28 assignee of a person to whom access has been granted under AS 45.48.130 if the 29 purpose of the use is to facilitate the extension of credit or another permissible use; 30 (3) a person acting under a court order, warrant, or subpoena; 31 (4) an agency of a state or municipality that administers a program for

01 establishing and enforcing child support obligations; 02 (5) the Department of Health and Social Services, its agents, or its 03 assigns when investigating fraud; 04 (6) the Department of Revenue, its agents, or its assigns when 05 investigating or collecting delinquent taxes or unpaid court orders or when 06 implementing its other statutory responsibilities; 07 (7) a person if the purpose of the use is prescreening allowed under 15 08 U.S.C. 1681b(c) (Fair Credit Reporting Act); 09 (8) a person administering a credit file monitoring subscription service 10 to which the consumer has subscribed; 11 (9) a person providing a consumer with a copy of the consumer's credit 12 report or credit score at the consumer's request; or 13 (10) a consumer credit reporting agency if the data base or file of the 14 consumer credit reporting agency consists entirely of information concerning and used 15 solely for one or more of the following purposes: 16 (A) criminal record information; 17 (B) personal loss history information; 18 (C) fraud prevention or detection; 19 (D) tenant screening; or 20 (E) employment screening. 21 (b) Except as provided by AS 45.48.190, the provisions of AS 45.48.100 - 22 45.48.290 do not apply to a person when acting only as a reseller of consumer 23 information. 24 Sec. 45.48.290. Definitions. In AS 45.48.100 - 45.48.290, 25 (1) "account review" means activities related to account maintenance, 26 account monitoring, credit line increases, and account upgrades and enhancements; 27 (2) "consumer" means an individual who is the subject of a credit 28 report or credit score; 29 (3) "consumer credit reporting agency" has the meaning given in 30 AS 45.48.990, but does not include a person who issues reports 31 (A) on incidents of fraud or authorizations for the purpose of

01 approving or processing negotiable instruments, electronic funds transfers, or 02 similar methods of payments; or 03 (B) regarding account closures because of fraud, substantial 04 overdrafts, automated teller machine abuse, or similar negative information 05 regarding a consumer to inquiring banks or other financial institutions for use 06 only in reviewing consumer requests for deposit accounts at the inquiring 07 banks or financial institutions; 08 (4) "reseller of consumer information" means a person who assembles 09 and merges information contained in the data bases of consumer credit reporting 10 agencies and does not maintain a permanent data base of consumer information from 11 which new consumer credit reports are produced; 12 (5) "security freeze" means a prohibition against a consumer credit 13 reporting agency from releasing all or a part of a consumer's credit report or credit 14 score without the express authorization of the consumer; 15 (6) "third party" means a person who is not 16 (A) the consumer who is the subject of the consumer's credit 17 report or credit score; or 18 (B) the consumer credit reporting agency that is holding the 19 consumer's credit report or credit score. 20 Article 3. Protection of Social Security Number. 21 Sec. 45.48.400. Use of social security number. A person may not 22 (1) intentionally communicate or otherwise make available to the 23 general public an individual's social security number; 24 (2) print an individual's social security number on a card required for 25 the individual to access products or services provided by the person; 26 (3) require an individual to transmit the individual's social security 27 number over the Internet unless the Internet connection is secure or the social security 28 number is encrypted; 29 (4) require an individual to use the individual's social security number 30 to access an Internet site unless a password, a unique personal identification number, 31 or another authentication device is also required to access the site; or

01 (5) print an individual's social security number on material that is 02 mailed to the individual unless 03 (A) local, state, or federal law, including a regulation adopted 04 under AS 45.48.470, expressly authorizes placement of the social security 05 number on the material; or 06 (B) the social security number is included on an application or 07 other form, including a document sent as a part of an application process or an 08 enrollment process, sent by mail to establish, amend, or terminate an account, a 09 contract, or a policy, or to confirm the accuracy of the social security number; 10 however, a social security number allowed to be mailed under this 11 subparagraph may not be printed, in whole or in part, on a postcard or other 12 mailer that does not require an envelope, or in a manner that makes the social 13 security number visible on the envelope or without the envelope's being 14 opened. 15 Sec. 45.48.410. Request and collection. (a) A person who does business in the 16 state, including the business of government, may not request or collect an individual's 17 social security number. This subsection does not prohibit a person from asking for 18 another form of identification from the individual. 19 (b) The prohibition in (a) of this section does not apply 20 (1) if the person is expressly authorized by local, state, or federal law, 21 including a regulation adopted under AS 45.48.470, to demand proof of the 22 individual's social security number, to request or collect the individual's social security 23 number, or to submit the individual's social security number to the local, state, or 24 federal government; 25 (2) if the person is engaging in the business of government and 26 (A) is authorized by law to request or collect the individual's 27 social security number; or 28 (B) the request or collection of the individual's social security 29 number is required for the performance of the person's duties or 30 responsibilities as provided by law; 31 (3) to a financial institution that is regulated by 15 U.S.C. 6801 - 6827

01 (Gramm-Leach-Bliley Financial Modernization Act) if the financial institution 02 requests or collects the individual's social security number to facilitate a transaction of 03 the individual; 04 (4) to a communication to or from a consumer reporting agency; in this 05 paragraph, "consumer reporting agency" has the meaning given in 15 U.S.C. 1681a 06 (Fair Credit Reporting Act); 07 (5) if the request or collection is for a background check on the 08 individual, law enforcement or other government purposes, or the individual's 09 employment, including employment benefits; or 10 (6) if the request or collection does not have independent economic 11 value, is incidental to a larger transaction, and is necessary to verify the identity of the 12 individual. 13 Sec. 45.48.420. Sale, lease, loan, trade, or rental. (a) A person may not sell, 14 lease, loan, trade, or rent an individual's social security number to a third party. 15 (b) The prohibition in (a) of this section does not apply if the sale, lease, loan, 16 trade, or rental is 17 (1) expressly authorized by local, state, or federal law, including a 18 regulation adopted under AS 45.48.470; 19 (2) part of a report prepared by a consumer credit reporting agency in 20 response to a request by a person and the person submits the social security number as 21 part of the request to the consumer credit reporting agency for the preparation of the 22 report. 23 (c) Nothing in this section prevents a business from transferring social security 24 numbers to another person if the transfer is part of the sale or other transfer of the 25 business to the other person. 26 (d) A person who knowingly violates (a) of this section is guilty of a class A 27 misdemeanor. In this subsection, "knowingly" has the meaning given in AS 11.81.900. 28 Sec. 45.48.430. Disclosure. (a) A person doing business, including the 29 business of government, may not disclose an individual's social security number to a 30 third party. 31 (b) The prohibition in (a) of this section does not apply if

01 (1) the disclosure is expressly authorized by local, state, or federal law, 02 including a regulation adopted under AS 45.48.470; 03 (2) the person is engaging in the business of government and 04 (A) is authorized by law to disclose the individual's social 05 security number; or 06 (B) the disclosure of the individual's social security number is 07 required for the performance of the person's duties or responsibilities as 08 provided by law; 09 (3) the third party is a financial institution that is regulated by 15 10 U.S.C. 6801 - 6827 (Gramm-Leach-Bliley Financial Modernization Act), and the 11 disclosure is to facilitate a transaction of the individual; 12 (4) the disclosure is part of a report prepared by a consumer credit 13 reporting agency in response to a request by a person and the person submits the social 14 security number as part of the request to the consumer credit reporting agency for the 15 preparation of the report; or 16 (5) the disclosure is for a background check on the individual, law 17 enforcement or other government purposes, or the individual's employment, including 18 employment benefits. 19 Sec. 45.48.440. Interagency disclosure. Notwithstanding the other provisions 20 of AS 45.48.400 - 45.48.480, a state or local governmental agency may disclose an 21 individual's social security number to another state or local governmental agency or to 22 an agency of the federal government if the disclosure is required in order for the 23 agency to carry out the agency's duties and responsibilities. 24 Sec. 45.48.450. Exception for employees, agents, and independent 25 contractors. (a) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, a 26 person may disclose an individual's social security number to an employee or agent of 27 the person for a legitimate purpose established by and as directed by the person, but 28 the employee or agent may not use the social security number for another purpose or 29 make an unauthorized disclosure of the individual's personal information. 30 (b) Notwithstanding the other provisions of AS 45.48.400 - 45.48.480, and 31 except as provided for an agent under (a) of this section, a person may disclose an

01 individual's social security number to an independent contractor of the person to 02 facilitate the purpose or transaction for which the individual initially provided the 03 social security number to the person, but the independent contractor may not use the 04 social security number for another purpose or make an unauthorized disclosure of the 05 individual's personal information. 06 Sec. 45.48.460. Employment-related exception. The provisions of 07 AS 45.48.400 - 45.48.480 may not be construed to restrict a person's use or exchange 08 of an individual's social security number 09 (1) in the course of the administration of a claim, benefit, or procedure 10 related to the individual's employment by the person, including the individual's 11 termination from employment, retirement from employment, and injury suffered 12 during the course of employment; or 13 (2) to check on an unemployment insurance claim of the individual. 14 Sec. 45.48.470. Agency regulations. If regulations are necessary in order for a 15 state agency to carry out the state agency's duties and responsibilities, a state agency 16 may adopt regulations under AS 44.62 (Administrative Procedure Act) to establish 17 when the state agency or a person regulated by the state agency may 18 (1) print an individual's social security number on material that is 19 mailed to the individual; 20 (2) demand proof from an individual of the individual's social security 21 number, collect from an individual the individual's social security number, or submit 22 an individual's social security number to a local, state, or federal agency; 23 (3) ask an individual to provide the state agency with the individual's 24 social security number; 25 (4) disclose an individual's social security number to a third party; 26 (5) sell, lease, loan, trade, or rent an individual's social security number 27 to a third party. 28 Sec. 45.48.480. Penalties. (a) A person who knowingly violates AS 45.48.400 29 - 45.48.430 is liable to the state for a civil penalty not to exceed $3,000. 30 (b) An individual may bring a civil action in court against a person who 31 knowingly violates AS 45.48.400 - 45.48.430 and may recover actual economic

01 damages, court costs allowed by the rules of court, and full reasonable attorney fees. 02 (c) In this section, "knowingly" has the meaning given in AS 11.81.900. 03 Article 4. Disposal of Records. 04 Sec. 45.48.500. Disposal of records. (a) When disposing of records that 05 contain personal information, a business and a governmental agency shall take all 06 reasonable measures necessary to protect against unauthorized access to or use of the 07 records. 08 (b) Notwithstanding (a) of this section, if a business or governmental agency 09 has otherwise complied with the provisions of AS 45.48.500 - 45.48.590 in the 10 selection of a third party engaged in the business of record destruction, the business or 11 governmental agency is not liable for the disposal of records under AS 45.48.500 - 12 45.48.590 after the business or governmental agency has relinquished control of the 13 records to the third party for the destruction of the records. 14 (c) A business or governmental agency is not liable for the disposal of records 15 under AS 45.48.500 - 45.48.590 after the business or governmental agency has 16 relinquished control of the records to the individual to whom the records pertain. 17 Sec. 45.48.510. Measures to protect access. The measures that may be taken 18 to comply with AS 45.48.500 include 19 (1) implementing and monitoring compliance with policies and 20 procedures that require the burning, pulverizing, or shredding of paper documents 21 containing personal information so that the personal information cannot practicably be 22 read or reconstructed; 23 (2) implementing and monitoring compliance with policies and 24 procedures that require the destruction or erasure of electronic media and other 25 nonpaper media containing personal information so that the personal information 26 cannot practicably be read or reconstructed; 27 (3) after due diligence, entering into a written contract with a third 28 party engaged in the business of record destruction to dispose of records containing 29 personal information in a manner consistent with AS 45.48.500 - 45.48.590. 30 Sec. 45.48.520. Due diligence. In AS 45.48.510(3), due diligence ordinarily 31 includes performing one or more of the following:

01 (1) reviewing an independent audit of the third party's operations and 02 its compliance with AS 45.48.500 - 45.48.590; 03 (2) obtaining information about the third party from several references 04 or other reliable sources and requiring that the third party be certified by a recognized 05 trade association or similar organization with a reputation for high standards of quality 06 review; or 07 (3) reviewing and evaluating the third party's information security 08 policies and procedures, or taking other appropriate measures to determine the 09 competency and integrity of the third party. 10 Sec. 45.48.530. Policy and procedures. A business or governmental agency 11 shall adopt written policies and procedures that relate to the adequate destruction and 12 proper disposal of records containing personal information and that are consistent with 13 AS 45.48.500 - 45.48.590. 14 Sec. 45.48.540. Exemptions. (a) A business or a governmental agency is not 15 required to comply with AS 45.48.500 - 45.48.530 if federal law requires that the 16 business or governmental agency act in a way that does not comply with AS 45.48.500 17 - 45.48.530. 18 (b) A business is not required to comply with AS 45.48.500 - 45.48.530 if 19 (1) the business is subject to and in compliance with 15 U.S.C. 6801 - 20 6827 (Gramm-Leach-Bliley Financial Modernization Act); or 21 (2) the manner of the disposal of the records of the business is subject 22 to 15 U.S.C. 1681w (Fair Credit Reporting Act) and the business is complying with 15 23 U.S.C. 1861w. 24 Sec. 45.48.550. Civil penalty. (a) An individual, a business, or a governmental 25 agency that knowingly violates AS 45.48.500 - 45.48.590 is liable to the state for a 26 civil penalty not to exceed $3,000. 27 (b) In this section, "knowingly" has the meaning given in AS 11.81.900. 28 Sec. 45.48.560. Court action. An individual who is damaged by a violation of 29 AS 45.48.500 - 45.48.590 may bring a civil action in court to enjoin further violations 30 and to recover for the violation actual economic damages, court costs allowed by the 31 rules of court, and full reasonable attorney fees.

01 Sec. 45.48.590. Definitions. In AS 45.48.500 - 45.48.590, 02 (1) "business" means a person who conducts business in the state or a 03 person who conducts business and maintains or otherwise possesses personal 04 information on state residents; in this paragraph, 05 (A) "conducts business" includes engaging in activities as a 06 financial institution organized, chartered, or holding a license or authorization 07 certificate under the laws of this state, another state, the United States, or 08 another country; 09 (B) "possesses" includes possession for the purpose of 10 destruction; 11 (2) "dispose" means 12 (A) the discarding or abandonment of records containing 13 personal information; 14 (B) the sale, donation, discarding, or transfer of 15 (i) any medium, including computer equipment or 16 computer media, that contains records of personal information; 17 (ii) nonpaper media, other than that identified under (i) 18 of this subparagraph, on which records of personal information are 19 stored; and 20 (iii) equipment for nonpaper storage of information; 21 (3) "governmental agency" means a state or local governmental 22 agency, except for an agency of the judicial branch; 23 (4) "personal information" means 24 (A) an individual's passport number, driver's license number, 25 state identification number, bank account number, credit card number, debit 26 card number, other payment card number, financial account information, or 27 information from a financial application; or 28 (B) a combination of an individual's 29 (i) name; and 30 (ii) medical information, insurance policy number, 31 employment information, or employment history;

01 (5) "records" means material on which information that is written, 02 drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of 03 physical form or characteristics, but does not include publicly available information 04 containing names, addresses, telephone numbers, or other information an individual 05 has voluntarily consented to have publicly disseminated or listed. 06 Article 5. Factual Declaration of Innocence after Identity Theft; Right to File Police 07 Report Regarding Identity Theft. 08 Sec. 45.48.600. Factual declaration of innocence after identity theft. (a) A 09 victim of identity theft may petition the superior court for a determination that the 10 victim is factually innocent of a crime if 11 (1) the perpetrator of the identity theft was arrested for, cited for, or 12 convicted of the crime using the victim's identity; 13 (2) a criminal complaint was filed against the perpetrator of the 14 identity theft; and 15 (3) the victim's identity was mistakenly associated with a record of a 16 conviction for a crime. 17 (b) In addition to a petition by a victim under (a) of this section, the 18 department may petition the superior court for a determination under (a) of this 19 section, or the superior court may, on its own motion, make a determination under (a) 20 of this section. 21 Sec. 45.48.610. Basis for determination. A determination of factual 22 innocence under AS 45.48.600 may be heard and made on declarations, affidavits, 23 police reports, or other material, relevant, and reliable information submitted by the 24 parties or ordered to be made a part of the record by the court. 25 Sec. 45.48.620. Criteria for determination; court order. (a) A court may 26 determine that a petitioner under AS 45.48.600 is factually innocent of a crime if the 27 court finds beyond a reasonable doubt that 28 (1) the petitioner is a victim of identity theft; 29 (2) the petitioner did not commit the offense for which the perpetrator 30 of the identity theft was arrested, cited, or convicted; 31 (3) the petitioner filed a criminal complaint against the perpetrator of

01 the identity theft; and 02 (4) the petitioner's identity was mistakenly associated with a record of 03 conviction for the crime. 04 (b) If a court finds under this section that the victim is factually innocent of a 05 crime, the court shall issue an order indicating this determination of factual innocence 06 and shall provide the victim with a copy of the order. 07 Sec. 45.48.630. Orders regarding records. After a court issues an order under 08 AS 45.48.620, the court may order the name and associated personal information of 09 the victim of identity theft that is contained in the files, indexes, and other records of 10 the court that are accessible by the public labeled to show that the name and personal 11 information of the victim of identity theft is incorrect. 12 Sec. 45.48.640. Vacation of determination. A court that has issued an order 13 under AS 45.48.620 may, at any time, vacate the order if the petition, or any 14 information submitted in support of the petition, is found to contain a material 15 misrepresentation, omission, or false information. 16 Sec. 45.48.650. Court form. The supreme court of the state may develop a 17 form to be used for the order under AS 45.48.620. 18 Sec. 45.48.660. Data base. The department may establish and maintain a data 19 base of individuals who have been victims of identity theft and who have received an 20 order under AS 45.48.620. The department shall provide a victim or the victim's 21 authorized representative access to a data base established under this section to 22 establish that the individual has been a victim of identity theft. Access to the a data 23 base established under this section is limited to criminal justice agencies, victims of 24 identity theft, and individuals and agencies authorized by the victims. 25 Sec. 45.48.670. Toll-free telephone number. The department may establish 26 and maintain a toll-free telephone number to provide access to information in a data 27 base established under AS 45.48.660. 28 Sec. 45.48.680. Right to file police report regarding identity theft. (a) Even 29 if the local law enforcement agency does not have jurisdiction over the theft of an 30 individual's identity, if an individual who has learned or reasonably suspects the 31 individual has been the victim of identity theft contacts, for the purpose of filing a

01 complaint, a local law enforcement agency that has jurisdiction over the individual's 02 actual place of residence, the local law enforcement agency shall make a report of the 03 matter and provide the individual with a copy of the report. The local law enforcement 04 agency may refer the matter to a law enforcement agency in a different jurisdiction. 05 (b) This section is not intended to interfere with the discretion of a local law 06 enforcement agency to allocate its resources to the investigation of crime. A local law 07 enforcement agency is not required to count a complaint filed under (a) of this section 08 as an open case for purposes that include compiling statistics on its open cases. 09 Sec. 45.48.690. Definitions. In AS 45.48.600 - 45.48.690, 10 (1) "crime" has the meaning given in AS 11.81.900; 11 (2) "department" means the Department of Law; 12 (3) "identity theft" means the theft of the identity of an individual; 13 (4) "perpetrator" means the person who perpetrated the theft of an 14 individual's identity; 15 (5) "victim" means an individual who is the victim of identity theft. 16 Article 6. Truncation of Card Information. 17 Sec. 45.48.750. Truncation of card information. (a) A person who accepts 18 credit cards or debit cards for the transaction of business may not print more than the 19 last four digits of the card number or the expiration date on any receipt or other 20 physical record of the transaction provided at the point of the sale or transaction. 21 (b) This section applies only to receipts that are electronically printed and does 22 not apply to transactions in which the sole means of recording a credit card or debit 23 card account number is by handwriting or by an imprint or copy of the card. 24 (c) A person may not sell a device that electronically prints more than the last 25 four digits of a credit card or debit card on a consumer receipt for a business 26 transaction or on a copy retained by a business person for a business transaction. 27 (d) An individual may bring a civil action in court against a person who 28 knowingly violates (a) of this section and may recover actual economic damages, 29 court costs allowed by the rules of court, and full reasonable attorney fees. 30 (e) A person who knowingly violates this section is liable to the state for a 31 civil penalty not to exceed $3,000.

01 (f) In this section, 02 (1) "credit" means the right granted by a creditor to a debtor to defer 03 payment of debt, to incur debts and defer payment of the debt, or to purchase property 04 or services and defer payment of the purchase;in this paragraph, "creditor" means a 05 person who regularly extends, renews, or continues credit, a person who regularly 06 arranges for the extension, renewal, or continuation of credit, or an assignee of an 07 original creditor who participates in the decision to extend, renew, or continue credit; 08 (2) "credit card" means a card, plate, coupon book, or other credit 09 device existing for the purpose of obtaining money, property, labor, or services on 10 credit; 11 (3) "debit card" means a card issued by a financial institution to a 12 consumer for use in initiating an electronic fund transfer from the account of the 13 consumer at the financial institution for the purpose of transferring money between 14 accounts or obtaining money, property, labor, or services; 15 (4) "knowingly" has the meaning given in AS 11.81.900. 16 Article 7. General Provisions. 17 Sec. 45.48.990. Definitions. In this chapter, unless the context indicates 18 otherwise, 19 (1) "consumer" means an individual; 20 (2) "consumer credit reporting agency" means a person who, for 21 monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or 22 in part in the practice of assembling or evaluating consumer credit information or 23 other information on consumers for the purpose of furnishing credit reports to third 24 parties; 25 (3) "credit report" means a written, oral, or other communication of 26 information by a consumer credit reporting agency bearing on a consumer's credit 27 worthiness, credit standing, credit capacity, character, general reputation, personal 28 characteristics, or mode of living if the communication is used or expected to be used 29 or collected in whole or in part to serve as a factor in establishing the consumer's 30 eligibility for 31 (A) credit or insurance to be used primarily for personal,

01 family, or household purposes; 02 (B) employment purposes; or 03 (C) any other permissible purpose authorized under section 15 04 U.S.C. 1681b; 05 (4) "information system" means any information system, including a 06 system consisting of digital data bases and a system consisting of pieces of paper; 07 (5) "person" has the meaning given in AS 01.10.060 and includes a 08 state or local governmental agency, except for an agency of the judicial branch; 09 (6) "state resident" means an individual who satisfies the residency 10 requirements under AS 01.10.055. 11 Sec. 45.48.995. Short title. This chapter may be cited as the Alaska Personal 12 Information Protection Act. 13 * Sec. 4. AS 45.50.471(b) is amended by adding a new paragraph to read: 14 (53) an information collector, other than a governmental agency, 15 violating AS 45.48.010 - 45.48.090 (breach of security involving personal 16 information); in this paragraph, 17 (A) "governmental agency" has the meaning given in 18 AS 45.48.090; 19 (B) "information collector" has the meaning given in 20 AS 45.48.090. 21 * Sec. 5. The uncodified law of the State of Alaska is amended by adding a new section to 22 read: 23 INDIRECT COURT RULE AMENDMENTS. (a) AS 45.48.640, enacted by sec. 3 of 24 this Act, has the effect of changing Rule 60(b), Alaska Rules of Civil Procedure, by allowing 25 a court to vacate an order on its own motion and at any time and by establishing a specific 26 criterion for vacating the order under AS 45.48.640. 27 (b) AS 45.48.200(a), 45.48.480(b), 45.48.560, and 45.48.750(d), enacted by sec. 3 of 28 this Act, have the effect of changing Rule 82, Alaska Rules of Civil Procedure, by changing 29 the criteria for determining the amount of attorney fees to be awarded to a party in an action 30 under AS 45.48.200(a), 45.48.480(b), 45.48.560, or 45.48.750(d). 31 * Sec. 6. The uncodified law of the State of Alaska is amended by adding a new section to

01 read: 02 TRANSITION: REGULATIONS. A state agency may proceed to adopt regulations 03 necessary to implement this Act. The regulations take effect under AS 44.62 (Administrative 04 Procedure Act), but not before the effective date of the law implemented by the regulation. 05 * Sec. 7. AS 45.48.470, enacted by sec. 3 of this Act, takes effect immediately under 06 AS 01.10.070(c). 07 * Sec. 8. Section 6 of this Act takes effect immediately under AS 01.10.070(c). 08 * Sec. 9. Except as provided by secs. 7 and 8 of this Act, this Act takes effect January 1, 09 2009.