Legislature(2005 - 2006)CAPITOL 120

02/10/2006 01:00 PM JUDICIARY


Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ HB 93 DENTISTS AND DENTAL HYGIENISTS TELECONFERENCED
<Bill Hearing Canceled>
+ HB 226 PERSONAL INFORMATION BREACH TELECONFERENCED
Moved CSHB 226(JUD) Out of Committee
+ HB 190 REQUIRED ID FOR PURCHASING ALCOHOL TELECONFERENCED
Moved CSHB 190(JUD) Out of Committee
+= Bills Previously Heard/Scheduled TELECONFERENCED
+= HB 343 HARASSMENT TELECONFERENCED
Moved CSHB 343(JUD) Out of Committee
HB 226 - PERSONAL INFORMATION BREACH                                                                                          
                                                                                                                                
[Contains brief  mention that language of  proposed amendments to                                                               
HB 226 was derived from SB 222.]                                                                                                
                                                                                                                                
1:43:04 PM                                                                                                                    
                                                                                                                                
CHAIR McGUIRE announced that the  next order of business would be                                                               
HOUSE  BILL NO.  226, "An  Act relating  to breaches  of security                                                               
involving  personal information;  and relating  to credit  report                                                               
security freezes."  [Before the committee was CSHB 226(L&C).]                                                                   
                                                                                                                                
REPRESENTATIVE  GARA,  speaking  as  the  sponsor,  relayed  that                                                               
HB 226  is  intended  to address  situations  involving  security                                                               
breaches  at financial  companies  that trade,  hold, and  supply                                                               
individuals'  personal and  financial information.   At  the time                                                               
the bill was started, only 3  or 4 states were responding to this                                                               
issue,  but more  have  responded since  then.   The  bill is  in                                                               
response to  a situation that  occurred over  a year ago,  when a                                                               
company called  ChoicePoint, Inc. ("ChoicePoint"),  experienced a                                                               
security  breach that  affected about  145,000 clients.   Because                                                               
California  law  mandated  that   clients  be  notified  of  such                                                               
security breaches,  ChoicePoint notified  its clients  located in                                                               
California,  but  didn't  notify   any  of  its  clients  located                                                               
elsewhere.                                                                                                                      
                                                                                                                                
REPRESENTATIVE GARA explained  that HB 226 is modeled  in part on                                                               
two  provisions of  that California  law:   one,  when a  company                                                               
releases  a person's  financial information  accidentally because                                                               
of theft,  that company must  notify the person of  that security                                                               
breach;  two,  when  a  person has  an  indication  that  his/her                                                               
information is no  longer secure, the person will  have the right                                                               
to call  the three consumer financial  information clearinghouses                                                               
and  have  them   put  a  freeze  on   releasing  his/her  credit                                                               
information to a third party.                                                                                                   
                                                                                                                                
1:47:40 PM                                                                                                                    
                                                                                                                                
JOHN L.  GEORGE, Lobbyist for  American Council of  Life Insurers                                                               
(ACLI), relayed that  the ACLI has been working  with the sponsor                                                               
on this  bill and  the sponsor has  been very  accommodating, and                                                               
characterized  CSHB  226(L&C)  as   a  better  version  than  the                                                               
original bill.   He indicated that  he has two issues  to discuss                                                               
and both pertain to language  in proposed AS 45.48.390 located on                                                               
pages 11-12.  Proposed subparagraph  (A) indicates that "personal                                                               
information" consists  of a combination of  an individual's first                                                               
name or  first initial,  the individual's last  name, and  one or                                                               
more of the following:   the individual's social security number;                                                               
the  number  of  the  individual's   driver's  license  or  state                                                               
identification card;  the individual's account number,  or credit                                                               
card  or  debit  card  account   number;  or  account  passwords,                                                               
personal   identification  numbers,   or   other  access   codes.                                                               
However, he  pointed out, proposed  subparagraph (B)  states that                                                               
"personal   information"   could   consist    of   one   of   the                                                               
aforementioned elements  if it would  be sufficient to  engage in                                                               
or attempt to engage in the theft of the individual's identity.                                                                 
                                                                                                                                
MR. GEORGE opined that as  written, this definition is ambiguous;                                                               
"personal  information"  should  consist  of one  or  the  other,                                                               
either what's  specified in subparagraph (A)  or what's specified                                                               
in  subparagraph (B).   For  example, under  subparagraph (B),  a                                                               
social  security  number  would   be  sufficient,  whereas  under                                                               
subparagraph (A), both the individual's  name and social security                                                               
number  would be  required.   He  suggested that  the removal  of                                                               
subparagraph (B) would  improve the bill substantially.   He then                                                               
referred to  the language  on page  11, line 23  - which  says in                                                               
part, "the information elements are  not encrypted" - and said he                                                               
is  unable to  find a  definition of  encryption.   He suggested,                                                               
therefore,  that   the  words,  "or  secured   by  another  means                                                               
rendering  the information  unreadable" be  added; such  a change                                                               
would cover  both current and  future technology  without harming                                                               
the intent of the bill.                                                                                                         
                                                                                                                                
MR.  GEORGE,  in  response  to a  question,  clarified  that  his                                                               
suggested change would be to replace  - on page 11, lines 23-24 -                                                               
the  words,  "or redacted"  with  the  words:   ",  redacted,  or                                                               
secured by another means rendering the information unreadable".                                                                 
                                                                                                                                
REPRESENTATIVE  GARA offered  his belief  that neither  suggested                                                               
change is  needed.  The  term "encrypted" is used  in California,                                                               
he  relayed,  and  opined  that  a definition  of  that  term  is                                                               
unneeded.     He  indicated  that  simply   saying  something  is                                                               
unreadable is vague, whereas if  an encrypted item is released it                                                               
won't constitute a security breach.  He elaborated:                                                                             
                                                                                                                                
     We  want  to  say  that it's  a  security  breach  when                                                                    
     certain personal  information is released -  part of it                                                                    
     has to  be the person's  name; we don't really  want to                                                                    
     regulate  it if  the  person's name  is not  associated                                                                    
     with the  security breach  - that's  just not  really a                                                                    
     big  security   concern.  ...   That's  why,   ...  [in                                                                    
     subparagraph (A)], it's two  pieces of information that                                                                    
     have  been   released  -  your   name  and   then  some                                                                    
     identifying  information [such  as]  your bank  account                                                                    
     [number or] your social security  number - that's a big                                                                    
     concern.   The  catchall  in  [subparagraph] (B)  says,                                                                    
     however,  [that]  there  might  be  some  circumstances                                                                    
     where  even  just the  release  of  one piece  of  this                                                                    
     information is a danger.                                                                                                   
                                                                                                                                
     And  you can  imagine where  just releasing  somebody's                                                                    
     credit  card number  or bank  account number  by itself                                                                    
     could be a  danger to the consumer.  So  that's why ...                                                                    
     California put this ... [language  in its law] as well.                                                                    
     So I  don't know why  you would  not want to  protect a                                                                    
     consumer  if  a  piece   of  information,  standing  by                                                                    
     itself,  would  be  sufficient  to  allow  somebody  to                                                                    
     engage  in or  attempt to  engage in  the theft  of the                                                                    
     individual's identity;  if it's a piece  of information                                                                    
     that  endangers the  consumer, I  think that,  standing                                                                    
     alone,  is a  breach.   And,  really,  again, all  [the                                                                    
     company has] ... to do is tell the consumer.                                                                               
                                                                                                                                
REPRESENTATIVE GARA,  in response to  a question, opined  that it                                                               
won't be burdensome for a  company to determine whether there has                                                               
been a breach.  A company  should notify an individual if his/her                                                               
account number, credit card number,  access code, or password has                                                               
been released.  He pointed out  that the bill only applies if the                                                               
company knows  the information  has been  breached, and  then the                                                               
only requirement  is that  the company notify  the consumer.   He                                                               
added:   "I don't think  any company's going  to have to  sort of                                                               
sit there  and pull there  hair out  and go, 'Shoot,  we released                                                               
somebody's  social security  number,  should we  tell  them?'   I                                                               
think the answer is yes - it's a courtesy."                                                                                     
                                                                                                                                
1:55:36 PM                                                                                                                    
                                                                                                                                
LISA  J. CORRIGAN,  Executive Vice  President  & Chief  Operating                                                               
Officer,   Alaska  Pacific   Bank;   President,  Alaska   Bankers                                                               
Association, relayed  that Alaskan bankers share  the concerns of                                                               
the  sponsor  and  other  members   of  the  committee,  and  are                                                               
dedicated  to protecting  the privacy  and security  of sensitive                                                               
customer information.   In  fact, she  added, the  reputation and                                                               
the safety  and soundness  of the banking  industry depends  on a                                                               
foundation of  security and integrity,  and the  banking industry                                                               
knows it  has a  fiduciary responsibility  to its  customers, not                                                               
only to protect their money,  but to also protect their sensitive                                                               
personal  information.    She  assured  the  committee  that  the                                                               
banking industry  takes security  breaches and all  other related                                                               
issues very seriously.                                                                                                          
                                                                                                                                
MS.  CORRIGAN  relayed that  her  comments  will pertain  to  two                                                               
provisions  located   on  pages  1   and  2,  adding   that  [her                                                               
organizations] think  that the  remainder of  the bill  is great.                                                               
She  offered  her belief  that  the  concerns  [she is  about  to                                                               
express] will be adequately addressed  via a forthcoming proposed                                                               
amendment.                                                                                                                      
                                                                                                                                
1:57:22 PM                                                                                                                    
                                                                                                                                
MS.   CORRIGAN  remarked   that  [subsection   (a)  of   proposed                                                               
45.48.010]  appears  to  appropriately require  disclosure  of  a                                                               
breach  of   security  if  sensitive,  personal   information  is                                                               
reasonably  believed to  have been  acquired  by an  unauthorized                                                               
person.  However,  that language doesn't go  further to stipulate                                                               
that  the   information  has   been  accessed   for  unauthorized                                                               
purposes.  This [lack] is a  bit of a difference from the banking                                                               
"guidance" that  banks already  operate under.   Since  banks are                                                               
already operating  under a complicated  web of federal  and state                                                               
regulations,  whenever   possible  [banks]  would  like   to  see                                                               
legislation that's consistent with  [the rules] they must already                                                               
comply with.                                                                                                                    
                                                                                                                                
MS.  CORRIGAN  referred  to the  Gramm-Leach-Bliley  Act  (GLBA),                                                               
which  required  banking regulators  to  issue  guidance, and  to                                                               
continue  issuing guidance,  to  banks.   That guidance  requires                                                               
banks  to   create  information  security  systems;   complete  a                                                               
comprehensive risk  assessment relating  directly to  the subject                                                               
of  HB   226  -   the  likelihood   of,  and   vulnerability  to,                                                               
unauthorized  access to  sensitive customer  information; and  to                                                               
subsequently  develop   and  implement   a  response   program  -                                                               
basically disaster response in an  electronic format - that would                                                               
be used any  time the bank felt there was  reason to believe that                                                               
there could be harm to a customer or a customer base.                                                                           
                                                                                                                                
MS. CORRIGAN  explained that the aforementioned  response program                                                               
requires  banks  to  begin an  immediate  investigation  if  they                                                               
believe that a  security breach may have occurred,  and then they                                                               
are  required  to determine  the  likelihood  that the  sensitive                                                               
information has  or will be misused.   A concern, she  relayed is                                                               
that  it  is  possible  that  an  unauthorized  individual  could                                                               
inadvertently come into  contact with or come  into possession of                                                               
sensitive  information   without  meaning  any  harm,   and  [her                                                               
organizations believe]  that it  is not  the sponsor's  intent to                                                               
have the  bill apply  in such  situations and  so want  to ensure                                                               
that  language in  the bill  recognizes that,  because if  a bank                                                               
believes that it  is reasonably possible that  misuse will occur,                                                               
then   the  bank   is  already   required  to   go  through   the                                                               
aforementioned   notification  process   and  notify   customers,                                                               
banking regulators, federal authorities, et cetera.                                                                             
                                                                                                                                
MS. CORRIGAN said that the  Alaska Banking Association supports a                                                               
forthcoming  proposed  amendment  because it  believes  that  the                                                               
amendment will  clarify that the  information would have  to have                                                               
been  accessed  for  a  purpose   not  authorized  by  the  state                                                               
resident;   this  adds   the  piece   that  the   Alaska  Banking                                                               
Association felt was missing -  that it is an unauthorized person                                                               
who  has  unauthorized access  to  sensitive  information and  is                                                               
using it for unauthorized purposes  or there is reason to believe                                                               
that he/she could.                                                                                                              
                                                                                                                                
2:00:51 PM                                                                                                                    
                                                                                                                                
MS. CORRIGAN then  drew members' attention to page  2, lines 7-10                                                               
-  proposed AS  45.48.020 -  which provides  that a  business may                                                               
delay  disclosing   a  security   breach  to  customers   if  the                                                               
Department of Law  (DOL) has an ongoing  investigation that could                                                               
be  compromised   by  that  disclosure.     The   Alaska  Banking                                                               
Association  is  asking  that  that  exception  be  broadened  to                                                               
include  all  appropriate  law enforcement  agencies;  banks  are                                                               
already  required  to   have  a  lot  of   contact  with  federal                                                               
authorities   in  situations   involving  suspected   or  ongoing                                                               
criminal  activity.    She offered  her  understanding  that  the                                                               
forthcoming  proposed  amendment  will address  this  concern  as                                                               
well.   She concluded by  saying that  with the inclusion  of her                                                               
aforementioned proposed  changes, [her organizations]  think that                                                               
HB 226 is good legislation and hope it passes.                                                                                  
                                                                                                                                
CHAIR  McGUIRE, after  ascertaining that  no one  else wished  to                                                               
testify, closed public testimony on HB 226.                                                                                     
                                                                                                                                
REPRESENTATIVE  GRUENBERG referred  to the  language on  page 12,                                                               
lines  3-5, and  relayed that  his staff  is researching  whether                                                               
that language  is identical  to the  language in  California law.                                                               
He  said he  supports  the  bill, but  added  that that  language                                                               
currently  seems to  read that  the crime  is a  crime if  it's a                                                               
crime; in other  words, it's an identifier if  it's sufficient to                                                               
cause a crime, which is a circular argument.                                                                                    
                                                                                                                                
2:02:59 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE GARA  made a  motion to  adopt Amendment  1, which                                                               
read [original punctuation provided]:                                                                                           
                                                                                                                                
     Page 5, line 2 following "A"                                                                                               
          Delete "consumer"                                                                                                     
          Insert "credit"                                                                                                       
                                                                                                                                
     Page 11, line 16                                                                                                           
          Delete "or conflicts with"                                                                                            
                                                                                                                                
REPRESENTATIVE COGHILL objected for the purpose of discussion.                                                                  
                                                                                                                                
REPRESENTATIVE GARA explained that the  first part of Amendment 1                                                               
corrects a  typographical error  and the  second part  provides a                                                               
cleaner way of dealing with a federal preemption.                                                                               
                                                                                                                                
REPRESENTATIVE COGHILL removed his objection.                                                                                   
                                                                                                                                
REPRESENTATIVE  GRUENBERG  said  he  supports Amendment  1.    He                                                               
remarked, though,  that proposed  AS 45.48.300  - which  is being                                                               
altered  by the  second  portion of  Amendment 1  -  is not  even                                                               
necessary because it is always  the law that federal law preempts                                                               
state law.                                                                                                                      
                                                                                                                                
REPRESENTATIVE  GARA  said  he   would  be  receptive  to  taking                                                               
[proposed AS  45.48.300] out of  the bill  on the House  floor if                                                               
Representative  Gruenberg  can  show  that  there  is  already  a                                                               
general preemption provision.                                                                                                   
                                                                                                                                
REPRESENTATIVE  GRUENBERG  said  there  isn't  one  now,  and  is                                                               
pondering whether  the committee would consider  adding a general                                                               
preemption provision to Title 1.                                                                                                
                                                                                                                                
REPRESENTATIVE  COGHILL   said  he'd  prefer  to   consider  that                                                               
question separately from their debate on HB 226.                                                                                
                                                                                                                                
2:06:37 PM                                                                                                                    
                                                                                                                                
CHAIR  McGUIRE noted  that  the issue  of  severability has  been                                                               
debated,  and  that sometimes  a  specific  clause pertaining  to                                                               
severability is put in legislation  and sometimes severability is                                                               
viewed as a  given.  She concurred that the  general rule is that                                                               
if  there is  a federal  law on  a particular  subject, it  would                                                               
preempt state  law, but pointed out  that this issue can  be more                                                               
complicated when it pertains to certain areas of the law.                                                                       
                                                                                                                                
REPRESENTATIVE  COGHILL  said  he   would  not  want  to  concede                                                               
anything [to the federal government] that he did not have to.                                                                   
                                                                                                                                
CHAIR McGUIRE said she thinks  it's appropriate to keep [proposed                                                               
AS 45.48.300] in the bill.                                                                                                      
                                                                                                                                
CHAIR McGUIRE asked whether there  were any further objections to                                                               
Amendment 1.  There being none, Amendment 1 was adopted.                                                                        
                                                                                                                                
2:07:51 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  GARA   made  a   motion  to   adopt  [Conceptual]                                                               
Amendment 2, which read [original punctuation provided]:                                                                        
                                                                                                                                
     Page 1, line 12 following "person,"                                                                                        
          Insert "for a purpose not authorized by the state                                                                     
     resident"                                                                                                                  
          Delete "due to the breach"                                                                                            
                                                                                                                                
     Page 2 lines 7 following "Enforcement."                                                                                    
          Delete all material through page 2, line 10.                                                                          
          Insert "Notice of the breach may be delayed if an                                                                     
     appropriate  law  enforcement  agency  determines  that                                                                    
     notification   will    interfere   with    a   criminal                                                                    
     investigation    and   provides    the   business    or                                                                    
     governmental  entity with  a  written  request for  the                                                                    
     delay.   However, the  business or  governmental entity                                                                    
     shall   notify   the   state  resident   as   soon   as                                                                    
     notification   will  no   longer  interfere   with  the                                                                    
     investigation."                                                                                                            
                                                                                                                                
REPRESENTATIVE COGHILL objected for the purpose of discussion.                                                                  
                                                                                                                                
REPRESENTATIVE   GARA   indicated   that  the   first   part   of                                                               
[Conceptual] Amendment  2 addresses  Ms. Corrigan's  first stated                                                               
concern,  and  the  second  part   of  [Conceptual]  Amendment  2                                                               
addresses  her  second stated  concern.    With the  adoption  of                                                               
[Conceptual]  Amendment  2, if  there  is  a  breach but  it's  a                                                               
harmless  breach, then  the  bill  won't apply,  and  a delay  in                                                               
notifying the customer  of a security breach  will temporarily be                                                               
allowed if  the company is  told, in writing, by  any appropriate                                                               
law  enforcement agency  that  such  notification will  interfere                                                               
with a criminal investigation, though  once law enforcement is no                                                               
longer concerned  about notification,  then the customer  must be                                                               
notified.                                                                                                                       
                                                                                                                                
2:09:59 PM                                                                                                                    
                                                                                                                                
CHAIR  McGUIRE  said  she  would  not  want  the  first  part  of                                                               
[Conceptual] Amendment 2 to be used  as an excuse [to not provide                                                               
notification].    She  offered   her  recollection  that  in  the                                                               
ChoicePoint case,  the company offered the  defense that although                                                               
it knew  about the security breach,  it didn't think that  it was                                                               
going to cause any harm.  She said  she wants it to be very clear                                                               
that companies have  a duty to investigate  the reasonableness of                                                               
whether  the  breach would  cause  harm,  and  that it  isn't  an                                                               
automatic defense for  the company to simply say  it didn't think                                                               
it would.                                                                                                                       
                                                                                                                                
REPRESENTATIVE  GRUENBERG  referred  to   the  last  sentence  of                                                               
[Conceptual] Amendment 2 and suggested  that it be changed to say                                                               
that  the law  enforcement  agency must  notify  the company  [or                                                               
governmental entity]  in writing  that the  customer notification                                                               
process will no longer interfere  with the criminal investigation                                                               
and thus may begin.  In  response to a comment, he clarified that                                                               
he would like  the law enforcement agency to also  have a duty to                                                               
notify.                                                                                                                         
                                                                                                                                
REPRESENTATIVE  GRUENBERG made  a  motion  to conceptually  amend                                                               
[Conceptual]  Amendment 2,  to rewrite  the  final sentence  such                                                               
that the  investigating law enforcement  agency shall  notify the                                                               
business or governmental  entity as soon as  the investigation is                                                               
sufficiently complete that the business  can notify the consumer.                                                               
At  that  point,  he  added,   the  [business]  must  notify  the                                                               
consumer.                                                                                                                       
                                                                                                                                
CHAIR  McGUIRE   noted  however  that  investigations   can  take                                                               
decades.  Therefore she would  prefer the phrase, "will no longer                                                               
interfere with the investigation".                                                                                              
                                                                                                                                
REPRESENTATIVE GRUENBERG indicated that he  is amenable to such a                                                               
change to  the conceptual amendment to  [Conceptual] Amendment 2,                                                               
to have it  say, "the investigating law  enforcement agency shall                                                               
notify   the  business   or  governmental   entity  as   soon  as                                                               
notification will no longer interfere  with the investigation and                                                               
at that point  the business or governmental  [entity] must notify                                                               
the   consumer".     There  being   no  objection,   [Conceptual]                                                               
Amendment 2 was amended.                                                                                                        
                                                                                                                                
CHAIR McGUIRE asked whether there  were any further objections to                                                               
[Conceptual]  Amendment  2,  as   amended.    There  being  none,                                                               
[Conceptual] Amendment 2, as amended, was adopted.                                                                              
                                                                                                                                
2:16:08 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  GARA   made  a   motion  to   adopt  [Conceptual]                                                               
Amendment 3, which read [original punctuation provided]:                                                                        
                                                                                                                                
     Page 6, line 15 following "than"                                                                                           
          Insert a new subsection to read:                                                                                      
          " (1) $3 for the first time that the consumer                                                                         
     places a  security freeze in  a five year  period under                                                                    
     AS 45.48.100"                                                                                                              
                                                                                                                                
     Page 6, line 16 following "each"                                                                                           
          Insert "subsequent"                                                                                                   
                                                                                                                                
     Page 6, line 16                                                                                                            
          Delete (1)                                                                                                            
          Insert (2)                                                                                                            
                                                                                                                                
     Page 6, line 19                                                                                                            
          Delete (2)                                                                                                            
          Insert (3)                                                                                                            
                                                                                                                                
     Page 12 following line 5                                                                                                   
          Insert a new bill section to read:                                                                                    
     "CONTINGENT EFFECT OF AS 45.48.160(a)(1)  .  If a court                                                                    
     of competent  jurisdiction whose decisions  are binding                                                                    
     in this state enters a  final judgment that the charges                                                                    
     rendered  in AS  45.48.160(a)(1) are  unconstitutional,                                                                    
     then   the   charges  shall   be   as   stated  in   AS                                                                    
     45.48.160(a)(2), (a)(3) and AS 45.48.160(b)."                                                                              
                                                                                                                                
REPRESENTATIVE COGHILL objected for the purpose of discussion.                                                                  
                                                                                                                                
REPRESENTATIVE   GARA  said   that   he  took   care  to   mirror                                                               
California's comprehensive approach.   However, California allows                                                               
a credit-reporting agency  to charge $10 and $12  to either place                                                               
or remove a freeze.   That amount seems significant, he remarked,                                                               
and so  Conceptual Amendment  3 provides  for a  $3 charge  for a                                                               
first  time  request within  a  five  year period,  and  includes                                                               
conditional language which says that if  a court finds that it is                                                               
unconstitutional to impose the lower  charge then it will default                                                               
to the $10  and $12 charges.  He pointed  out that under language                                                               
currently in  the bill, a person  may place or remove  a security                                                               
freeze  without  charge if  he/she  provides  a credit  reporting                                                               
agency  with proof  that he/she,  in good  faith, filed  a police                                                               
report  stating  that  his/her  [personal  information  has  been                                                               
breached].                                                                                                                      
                                                                                                                                
REPRESENTATIVE COGHILL removed his objection.                                                                                   
                                                                                                                                
CHAIR McGUIRE asked whether there  were any further objections to                                                               
Conceptual   Amendment  3.      There   being  none,   Conceptual                                                               
Amendment 3 was adopted.                                                                                                        
                                                                                                                                
2:19:06 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE   GARA  made   a   motion   to  adopt   Conceptual                                                               
Amendment 4,   which,  along   with   a   note,  read   [original                                                               
punctuation provided]:                                                                                                          
                                                                                                                                
     Page 6, line 14                                                                                                            
          Insert a new bill section to read:                                                                                    
          "Sec. 45.48.150. Prohibition. When dealing with a                                                                   
     third  party,   a  credit  reporting  agency   may  not                                                                    
     suggest,  state, or  imply that  a consumer's  security                                                                    
     freeze  reflects  a  negative  credit  score,  history,                                                                    
     report, or rating"                                                                                                         
                                                                                                                                
     Page 7, line 12                                                                                                            
          Insert a new bill section to read:                                                                                    
          "Sec. 45.48.190. Notification after violation.                                                                      
     If  a  credit  reporting  agency  violates  a  security                                                                    
     freeze  by  releasing  a consumer's  credit  report  or                                                                    
     information derived from the  credit report, the credit                                                                    
     reporting agency shall notify  the consumer within five                                                                    
     business days  after the  release, and  the information                                                                    
     in  the notice  must include  an identification  of the                                                                    
     information  released  and  of   the  third  party  who                                                                    
     received the information."                                                                                                 
                                                                                                                                
     Renumber following bill sections accordingly.                                                                              
                                                                                                                                
     [Note: Taken from SB222]                                                                                                   
                                                                                                                                
CHAIR McGUIRE objected for the purpose of discussion.                                                                           
                                                                                                                                
REPRESENTATIVE  GARA  relayed that  SB  222  addresses many  more                                                               
subjects than HB 226, and  Conceptual Amendment 4, which contains                                                               
language from  SB 222,  says in  the first part  that if  a third                                                               
party  contacts a  credit reporting  agency, the  agency may  not                                                               
suggest,  state,  or   imply  that  a  freeze   on  a  consumer's                                                               
information reflects  a negative  credit score,  history, report,                                                               
or rating.                                                                                                                      
                                                                                                                                
CHAIR  McGUIRE removed  her objection,  and  asked whether  there                                                               
were  any  further  objections.   There  being  none,  Conceptual                                                               
Amendment 4 was adopted.                                                                                                        
                                                                                                                                
REPRESENTATIVE  GARA,   in  response  to  a   question  regarding                                                               
Conceptual Amendment 3, relayed that  he doesn't believe that the                                                               
lower  charge of  $3  proposed via  Conceptual  Amendment 3  will                                                               
violate the  [federal] commerce  clause but  he is  including the                                                               
contingent effect clause  just in case the  proposed lower charge                                                               
raises that issue.                                                                                                              
                                                                                                                                
2:22:11 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE   GARA  made   a   motion   to  adopt   Conceptual                                                               
Amendment 5,   which,  along   with   a   note,  read   [original                                                               
punctuation provided]:                                                                                                          
                                                                                                                                
     Page 11, line 14                                                                                                           
          Insert a new article in the bill to read:                                                                             
          "Article 3. Right to File Police Report Regarding                                                                   
     Identity Theft."                                                                                                         
     Sec. 45.48.300.  Right to file police  report regarding                                                                  
     identity theft.  (a) Even if the  local law enforcement                                                                  
     agency does not have jurisdiction  over the theft of an                                                                    
     individual's  identity,   if  an  individual   who  has                                                                    
     learned or reasonably suspects  the individual has been                                                                    
     the victim of identity  theft contacts, for the purpose                                                                    
     of filing  a complaint, a local  law enforcement agency                                                                    
     that  has  jurisdiction  over the  individual's  actual                                                                    
     place of  residence, the  local law  enforcement agency                                                                    
     shall  make a  report  of the  matter  and provide  the                                                                    
     individual with  a copy of  the report.  The  local law                                                                    
     enforcement  agency  may  refer  the matter  to  a  law                                                                    
     enforcement agency in a different jurisdiction.                                                                            
     (b) This section is not  intended to interfere with the                                                                    
     discretion  of  a  local   law  enforcement  agency  to                                                                    
     allocate its  resources to the investigation  of crime.                                                                    
     A  local  law enforcement  agency  is  not required  to                                                                    
     count a  complaint filed under  (a) of this  section as                                                                    
        an open case for purposes that include compiling                                                                        
     statistics on its open cases.                                                                                              
                                                                                                                                
         Sec. 45.48.390. Definitions. In AS 45.48.300 -                                                                       
     45.48.390                                                                                                                  
       (1) "crime" has the meaning given in AS 11.81.900                                                                        
          (2) "identity theft" means the theft of the                                                                           
     identity of an individual;                                                                                                 
          (3) "victim" means an individual who is the                                                                           
     victim of identity theft.                                                                                                  
                                                                                                                                
     Renumber following bill sections accordingly.                                                                              
                                                                                                                                
     [Language taken from SB222]                                                                                                
                                                                                                                                
REPRESENTATIVE  GARA mentioned  that  he'd  gotten this  language                                                               
from SB 222 as well, and  that it addresses a person's ability to                                                               
file a police report regarding identity theft.                                                                                  
                                                                                                                                
REPRESENTATIVE   ANDERSON  objected,   and  asked   whether  this                                                               
language will engender a fiscal note.                                                                                           
                                                                                                                                
REPRESENTATIVE GARA acknowledged that  this language might have a                                                               
minor fiscal  impact, and explained  that Conceptual  Amendment 5                                                               
specifies that  law enforcement  shall allow a  person to  file a                                                               
report and thereby  obtain a free security freeze;  he noted that                                                               
[under Conceptual Amendment 5] a  law enforcement agency will not                                                               
be required to investigate a situation outlined in the report.                                                                  
                                                                                                                                
REPRESENTATIVE  ANDERSON   said  he   will  be   maintaining  his                                                               
objection  because he  thinks the  proposed requirement  to allow                                                               
people to file the aforementioned  reports will be too burdensome                                                               
on law enforcement agencies.                                                                                                    
                                                                                                                                
REPRESENTATIVE  GARA  reiterated   that  Conceptual  Amendment  5                                                               
stipulates that law enforcement will  not have to take any action                                                               
on such reports.                                                                                                                
                                                                                                                                
REPRESENTATIVE  ANDERSON  argued  that law  enforcement  agencies                                                               
will still have to fill out the reports.                                                                                        
                                                                                                                                
2:24:56 PM                                                                                                                    
                                                                                                                                
A roll  call vote was  taken.  Representatives  McGuire, Coghill,                                                               
Wilson,  Gruenberg,  and  Gara   voted  in  favor  of  Conceptual                                                               
Amendment  5.   Representatives Anderson  and Kott  voted against                                                               
it.  Therefore,  Conceptual Amendment 5 was adopted by  a vote of                                                               
5-2.                                                                                                                            
                                                                                                                                
CHAIR  McGUIRE encouraged  Representative  Gara  to have  someone                                                               
from law  enforcement available  to address  this issue  when the                                                               
bill is heard in the House Finance Committee.                                                                                   
                                                                                                                                
REPRESENTATIVE  GARA agreed  to do  so, and  asked Representative                                                               
Anderson to contact law enforcement.                                                                                            
                                                                                                                                
REPRESENTATIVE ANDERSON indicated that he would.                                                                                
                                                                                                                                
2:26:05 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE   GARA  made   a   motion   to  adopt   Conceptual                                                               
Amendment 6, which read [original punctuation provided]:                                                                        
                                                                                                                                
     Page 2, line 16 following "(3)"                                                                                            
          Insert "by substitute notice"                                                                                         
                                                                                                                                
     Page 2, line 17 following "$250,000,"                                                                                      
          Insert "or"                                                                                                           
                                                                                                                                
     Page 3, line 5-7                                                                                                           
          Delete "if the employee or agent does not use the                                                                     
     personal  information for  a purpose  unrelated to  the                                                                    
     activities of  the business or governmental  entity and                                                                    
     does not  make further  unauthorized disclosure  of the                                                                    
     personal information."                                                                                                     
       Insert "provided that the personal information is                                                                        
    not   used   or   subject   to   further   unauthorized                                                                     
     disclosure."                                                                                                               
                                                                                                                                
     Page 3, line 12 following "recover the"                                                                                    
          Insert "actual"                                                                                                       
                                                                                                                                
CHAIR McGUIRE objected for the purpose of discussion.                                                                           
                                                                                                                                
REPRESENTATIVE  GARA  referred  to   the  portion  of  Conceptual                                                               
Amendment 6 that proposes a change to page 2, line 16.                                                                          
                                                                                                                                
CHAIR McGUIRE  said she doesn't  know what the  term, "substitute                                                               
notice" means.                                                                                                                  
                                                                                                                                
REPRESENTATIVE  COGHILL  pointed  out that  [paragraphs  (1)-(3)]                                                               
direct how a business or government shall make the disclosure.                                                                  
                                                                                                                                
REPRESENTATIVE  GRUENBERG  asked  whether the  term,  "substitute                                                               
notices" is  defined [in statute],  or, if not, who  would decide                                                               
what it  means, or is it  defined on lines  20-25 of page 2.   If                                                               
the  latter is  the  case,  he remarked,  then  he would  suggest                                                               
dividing Conceptual Amendment  6 into parts and  amending it such                                                               
that it  would add  to page  2, line  19, the  word, "substitute"                                                               
between the words, "provide notice".                                                                                            
                                                                                                                                
REPRESENTATIVE   GARA  made   a   motion   to  amend   Conceptual                                                               
Amendment 6, to  delete the change  proposed to page 2,  line 16.                                                               
There being no objection, Conceptual Amendment 6 was amended.                                                                   
                                                                                                                                
REPRESENTATIVE  GARA  referred  to   the  portion  of  Conceptual                                                               
Amendment 6, as  amended, that proposes a change to  page 2, line                                                               
17, and characterized this as a technical change.                                                                               
                                                                                                                                
2:29:29 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  GARA  referred  to   the  portion  of  Conceptual                                                               
Amendment 6, as amended, that proposes  a change to page 3, lines                                                               
5-7, and  explained that  the new  proposed language  would track                                                               
California  statute; although  both the  current language  of the                                                               
bill and  the new proposed language  seem to say the  same thing,                                                               
as a  matter of caution  he would prefer  to use the  language in                                                               
California law.                                                                                                                 
                                                                                                                                
REPRESENTATIVE GRUENBERG  asked that  Conceptual Amendment  6, as                                                               
amended, be divided.                                                                                                            
                                                                                                                                
CHAIR  McGUIRE suggested  instead  that Representative  Gruenberg                                                               
simply state his concerns.                                                                                                      
                                                                                                                                
REPRESENTATIVE GRUENBERG, referring to  the portion of Conceptual                                                               
Amendment 6, as  amended, that proposes a change to  page 3, line                                                               
12, offered  his belief  that "actual damages"  might be  read to                                                               
mean  special damages  only as  opposed to  general damages,  and                                                               
since  an  unauthorized  disclosure  could ruin  a  person,  they                                                               
should not limit the damage award to actual damages.                                                                            
                                                                                                                                
REPRESENTATIVE  GARA  said his  [initial  thought]  is that  both                                                               
"damages" and  "actual damages" mean "compensatory  damages", but                                                               
he is  willing to  [delete that  proposed change  from Conceptual                                                               
Amendment 6, as amended].                                                                                                       
                                                                                                                                
REPRESENTATIVE  GRUENBERG said  he would  be more  comfortable if                                                               
the term, "actual" was not included.                                                                                            
                                                                                                                                
REPRESENTATIVE GRUENBERG made a  motion to again amend Conceptual                                                               
Amendment 6, as amended, by  deleting the portion that proposes a                                                               
change to page 3, line 12.   There being no objection, the second                                                               
amendment to Conceptual Amendment 6, as amended, was adopted.                                                                   
                                                                                                                                
CHAIR McGUIRE asked whether there  were any further objections to                                                               
Conceptual  Amendment 6,  as amended  twice.   There being  none,                                                               
Conceptual Amendment 6, as amended twice, was adopted.                                                                          
                                                                                                                                
REPRESENTATIVE  ANDERSON offered  his  belief  that Mr.  George's                                                               
concern regarding  encryption warrants  further attention  as the                                                               
bill moves through the process.                                                                                                 
                                                                                                                                
REPRESENTATIVE GARA agreed.                                                                                                     
                                                                                                                                
REPRESENTATIVE  GRUENBERG, referring  to  proposed AS  45.48.390,                                                               
said  it seems  to him  that anything  in subparagraph  (A) would                                                               
necessarily  be in  subparagraph (B).   Referring  to the  actual                                                               
language  in  California's  law  pertaining  to  this  issue,  he                                                               
characterized that language as quite  clear and well drafted.  He                                                               
asked  Representative  Gara  whether  he  would  be  amenable  to                                                               
replacing the  language currently  in proposed AS  45.48.390 with                                                               
the language in California law, which read:                                                                                     
                                                                                                                                
     For  purposes of  this section,  "personal information"                                                                    
     means an  individual's first name or  first initial and                                                                    
     last name  in combination with  any one or more  of the                                                                    
     following data  elements, when either  the name  or the                                                                    
     data elements are not encrypted:                                                                                           
          (1) Social security number.                                                                                           
          (2) Driver's license number or California                                                                             
     Identification Card number.                                                                                                
          (3) Account number, credit or debit card number,                                                                      
     in combination with any  required security code, access                                                                    
     code,  or  password  that would  permit  access  to  an                                                                    
     individual's financial account.                                                                                            
                                                                                                                                
REPRESENTATIVE GARA said he  thinks that Representative Gruenberg                                                               
is  correct on  this  issue and  that [Mr.  George]  has a  valid                                                               
concern.                                                                                                                        
                                                                                                                                
2:35:58 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  GRUENBERG  made  a  motion  to  adopt  Conceptual                                                               
Amendment 7,  to replace  the language  currently in  proposed AS                                                               
45.48.390 with the language in  California law except that Alaska                                                               
terms  be used  in place  of California  terms.   There being  no                                                               
objection, Conceptual Amendment 7 was adopted.                                                                                  
                                                                                                                                
2:37:01 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE WILSON,  after noting that she'd  had her personal                                                               
information stolen  in the past,  moved to report  CSHB 226(L&C),                                                               
as amended, out of committee  with individual recommendations and                                                               
the accompanying  fiscal notes.   There being no  objection, CSHB                                                               
226(JUD)  was   reported  from   the  House   Judiciary  Standing                                                               
Committee.                                                                                                                      
                                                                                                                                

Document Name Date/Time Subjects