Legislature(2005 - 2006)BUTROVICH 205
02/27/2006 08:30 AM Senate JUDICIARY
| Audio | Topic |
|---|---|
| Start | |
| SB222 | |
| SB216 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | SB 206 | TELECONFERENCED | |
| += | SB 222 | TELECONFERENCED | |
| *+ | SB 216 | TELECONFERENCED | |
| + | TELECONFERENCED |
SB 222-PROTECTION OF PERSONAL INFORMATION
8:46:03 AM
CHAIR RALPH SEEKINS announced SB 222 to be up for consideration.
GAIL VOITLANDER, Chief Assistant Attorney General, Department of
Law (DOL), introduced herself and advised the committee that she
was pinch hitting for Assistant Attorney General Ed Sniffen who
was involved with the bill and far more knowledgeable about the
consumer implications. She limited her testimony to how the bill
would affect the state and its employees.
Personal information is a primary tool in state government to
use to ensure that, when it takes action about someone, such as
collections activities and criminal prosecution, they have the
correct person that they are acting upon. For this reason the
state tends to have multiple identifiers to ensure they have the
correct state action.
8:48:44 AM
There is no utility in making states liable so long as they do
have a legal obligation to comply with the law. The DOL would
recommend in terms of liability that the bill would impose for
claims against the state to insert a subsection (d) on page 3 to
say, an action may not be brought against a governmental entity
or its employees. The state is such a target for frivolous
lawsuits that the DOL believes this to be necessary.
8:51:23 AM
CHAIR SEEKINS asked Ms. Voitlander whether she was saying that
the state never reveals collected information and that they
never supply or sell it to outside entities.
MS. VOITLANDER clarified state procedures require certain
information be used. For example, the Criminal Division of the
DOL discloses social security information regularly to the court
in connection with criminal prosecution. The Human Services and
Collections section of the DOL collect and disclose personal
information to pursue collections of judgment. The Department of
Motor Vehicles (DMV) obtains and uses social security numbers in
many contexts. The Alaska Commission on Post Secondary Education
collects personal information and passes it along to credit
agencies when a borrower defaults on loans.
To say that the state sells the information would suggest that
there is a profit motivation, but it is not a profit generating
system.
8:54:48 AM
CHAIR SEEKINS suggested it was not the intent of the bill
sponsors to limit the internal transfer of identifiers among
state agencies.
SENATOR GENE THERRIAULT responded that language already in the
bill would cover much of that concern, such as if the transfer
is required by state or federal law. He suggested there were
probably many instances where the state needs to tighten down
its procedures and provide better consumer protection.
CHAIR SEEKINS asked whether it was the intent of the DOL to try
to shield a state employee who was acting outside of the normal
course of their duties.
MS. VOITLANDER said the suggested language doesn't differentiate
in terms of motivation. If a state employee were acting wrongly
they would be the subject of disciplinary action.
8:57:55 AM
MS. VOITLANDER suggested that Mr. Sniffen should weigh in on the
bill the next time it is heard.
8:59:11 AM
SENATOR GRETCHEN GUESS commented the impetus of the bill was due
to the population's desire for privacy. She said, "We have the
situation where the state has most of the data on us and ... I
haven't heard of any situations of selling it for profit but
[the data] has been disclosed in Alaska." It is not the intent
to limit the bill to the private sector. Also the bill does not
prohibit transfer of the social security number within a state
entity, but it does prohibit transfer to a third party.
9:01:09 AM
CHAIR SEEKINS speculated that the penalty for a state employee
who purposefully discloses private information would be
substantial.
9:02:17 AM
PAT LUBY, Advocacy Director for AARP, testified in support of SB
222. Their only concern is the preemption clause on page 22.
"Alaska should be assertive and aggressive in defending our
citizens," he said.
9:05:40 AM
ELIZABETH MOCERI, Regional Counsel for Allstate Insurance, asked
for the bill sponsors to examine the insurance industry and
perhaps create a "carve-out" provision so that they can continue
to use credit information for claims adjustment.
9:07:25 AM
CHAIR SEEKINS asked Ms. Moceri the reason the industry would
need a carve-out provision.
MS. MOCERI replied when a person applies in for automobile
insurance in order to drive that day and they have a freeze on
their credit information then the insurance company would be
unable to provide them with a rate. Also, people buying a house
don't want to wait for several days to get their quote because
they need to close the deal.
9:09:10 AM
SENATOR GUESS asked Ms. Moceri whether the insurance company
could offer an estimated rate until the credit is lifted.
MS. MOCERI countered it would not be the correct rate. Under
Alaska law a person has a right to request a review of their
credit but there would be no system in place that would allow
for a consumer to shop around for the best rate.
9:12:06 AM
SENATOR GUESS commented when a person chooses to freeze their
credit information they have made a personal choice knowing the
consequences.
SENATOR THERRIAULT noted the consumer would be aware that a
voluntary credit information freeze would make them ineligible
for things such as getting an instant credit card. He said if a
person chooses to freeze their credit they just have to be
mindful of the consequences.
9:14:15 AM
CHAIR SEEKINS asked Ms. Moceri whether she had any information
on the percentage of people who would actually freeze their
information.
MS. MOCERI advised that it is only 5/100 of 1 percent.
9:19:22 AM
KENTON BRINE, Insurance Agent, Property Casualty Insurance
Association of America, agreed with the concerns expressed by
Ms. Moceri and said insurance companies want to continue to
provide their customers with the best access to the best rates.
He suggested the committee consider redefining the definition of
"credit reports" to apply only to credit reports that are sought
for the purpose of determining eligibility for the extension of
credit.
9:21:26 AM
MR. BRINE said insurers are different. They do access credit
reports but not for the purpose of determining whether to loan
someone money. They do not share information with third parties.
The goal is to provide access to consumers but what also should
be considered is the large amounts of systemic changes that the
industry would have to employ for such a small amount of people,
referencing the 5/100 of 1 percent figure. He suggested the
committee look at other states so that there can be some
uniformity.
9:23:23 AM
SENATOR GUESS referred to the trend of insurance companies
consolidating with other financial companies and asked whether
information was being shared within the company for other
financial services.
MR. BRINE said he believed it was eligible to be.
CHAIR SEEKINS asked for an example of the process used within
the property casualty insurance business where they would need
the credit information and how timeliness has an effect.
MR. BRINE replied when a consumer shops for insurance it would
make a difference whether they receive an accurate rate. He
estimated that it would be difficult for the consumer to place
or lift a freeze on their credit and implied that it might add
to the overall cost of insurance for everyone.
9:26:39 AM
CHAIR SEEKINS asked what questions are asked when people shop
online for insurance.
MR. BRINE said it was different from company to company.
9:28:01 AM
MIKE TIBBLES, Deputy Commissioner, Department of Administration
(DOA), spoke about some initiatives that the Department has
taken in regards to confidentiality of consumer information.
Every employee must sign a confidentiality statement.
9:29:31 AM
Last year the Department requested $20 million dollars for a new
payroll system, which will move employee records from a social
security base to an employee identification base. The bid
process is currently active and he intends to announce a
successful bidder shortly. The Department has removed the social
security number off of the health cards and no longer requires a
person to use their social security number to access the
Retirement and Benefits website.
9:31:27 AM
There is a system in place at the Department of Motor Vehicles
(DMV) that allows the Department to "fingerprint" who accesses
personal information and so they are able to identify a security
breach fairly quickly.
The Department is in the midst of deploying the Cisco Security
System and that will protect the state network from outside
attacks, however a breach of security could be costly to the
state because as the bill is drafted, the state would have to
send out over 600,000 notices if, for example, a security breach
happened at the DMV. The Department would like to see the
notices only required when there is personal information
released but then again, not if that information were encrypted.
9:34:01 AM
The bill does not clarify whether the Department would be
required to send notices only to the individuals whose
information was leaked.
9:36:19 AM
Attacks come in many different forms, such as a "botnik" where
no personal information is accessed but it is a breach of
security so the Department would be required to send notices in
such a case.
9:37:41 AM
The state currently receives time slips and leave slips with
social security numbers on them over the Internet. It is the way
the current system identifies employees. The Department of Law
testified that people applying for jobs on the Workplace Alaska
website are required to enter their social security number and
that enables them to do a background check as well.
9:39:30 AM
Regarding payroll reports and W2s, the Division of Personnel
maintains records off-site and requires a key code to enter into
the records system. The Department is open to updating the
security for that system.
9:40:18 AM
SENATOR GUESS asked Mr. Tibbles whether a typical encryption
code could be broken.
MR. TIBBLES implied that it could.
SENATOR GUESS noted that page 16 lines 3-5 in the bill would
allow for an entity to obtain a social security number over the
Internet if it is encrypted. She said it is now possible to
perform a background check without a social security number.
9:42:51 AM
CHAIR SEEKINS asked Mr. Tibbles whether he was aware of any part
of the state system that is easily accessible for the purpose of
aiding in identity theft.
MR. TIBBLES said the DMV is sometimes mandated to give personal
information to outside parties such as tow-truck drivers. The
statute requires them to also provide personal information to
law enforcement. Under federal law, the DMV is also authorized
to provide personal information to credit agencies. The statute
also allows for a person to provide consent to another person to
get information from the DMV.
9:46:14 AM
CHAIR SEEKINS asked whether most employees of the State of
Alaska have a state identification card with a unique
identifying number.
MR. TIBBLES responded that is the goal but it is not currently
possible to re-code them from a social security number to a
different number. The Cisco Security system should solve that
problem once it is up and running.
[Chair Seekins then accessed the DMV website from his laptop and
cited all of the information that he could obtain from the
website, noting that all he had to do was certify that he was a
business owner and that the information obtained was to be used
strictly for business purposes.]
9:49:09 AM
MR. TIBBLES responded with an example of a recall notice where
manufacturers obtain personal information in order to send out
recall notices.
CHAIR SEEKINS said the concern was the amount of leaks in the
system that could be used to access information.
SENATOR THERRIAULT added there are shelves full of documents
that have social security numbers on them.
9:52:47 AM
SENATOR GUESS requested that Mr. Tibbles submit to the committee
more specific examples of issues in the system.
9:54:16 AM at ease 10:04:19 AM.
Senator Hollis French joined the meeting.
CHAIR SEEKINS noted there were no other people signed up to
testify. He held SB 222 in committee.
| Document Name | Date/Time | Subjects |
|---|