Legislature(2005 - 2006)CAPITOL 17
04/13/2005 03:15 PM House LABOR & COMMERCE
| Audio | Topic |
|---|---|
| Start | |
| HB226 | |
| HB213 | |
| HB227 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | HB 213 | TELECONFERENCED | |
| *+ | HB 226 | TELECONFERENCED | |
| = | HB 227 | ||
HB 226-PERSONAL INFORMATION BREACH CHAIR ANDERSON announced that the first order of business would be HOUSE BILL NO. 226, "An Act relating to breaches of security involving personal information; and relating to credit report security freezes." 3:34:59 PM CHAIR ANDERSON then announced that HB 226 would be held over until Friday, at which time he indicated the legislation would be reported from committee. He mentioned that one party has requested that the legislation be held in order to have time for a bit more research. He also mentioned his intention to co- sponsor HB 226. 3:35:10 PM REPRESENTATIVE LES GARA, Alaska State Legislature, sponsor, noted that there is a proposed committee substitute. He explained that HB 226 responds to the ChoicePoint, Inc., security fraud cases. He informed the committee that a number of financial companies that make money by selling people's personal and financial information don't use the required security safeguards. Therefore, people's personal and financial information are being stolen. In the ChoicePoint case the information of 145,000 people was stolen and the company didn't immediately tell the victims. This legislation follows a California law that specifies that if a company that makes money on people's information discovers that information has been stolen or misused, it must inform the individuals right away. In the ChoicePoint case, a number of months passed before the 145,000 people were told that their information had been stolen. In California, the individuals were notified because of the state law requiring such knowledge be provided to the individual whose information was lost or stolen. 3:38:13 PM REPRESENTATIVE GARA highlighted that HB 226 also provides that an individual who is worried that his or her information has been stolen can call one of the three credit reporting agencies and request a hold on his or her financial information. The aforementioned is referred to as a security freeze. Representative Gara related that the Department of Law, the Alaska Public Interest Research Group (AkPIRG), and the U.S. Public Interest Research Group (AkPIRG) appear to be supportive of this legislation. 3:39:23 PM CHAIR ANDERSON surmised that HB 226 is senior friendly. He recalled reading information relating that one of the senior advocacy groups supports the California legislation, on which this based. REPRESENTATIVE GARA stated that AARP is supportive of HB 226. He opined that in this kind of security fraud, seniors are as vulnerable as everyone else not more vulnerable than others. Representative Gara further opined that everyone has an interest in knowing if one's personal and financial information has been stolen. Moreover, it's quite an outrage that these companies aren't informing people when the information is stolen. "They make money off us, and they have a duty to protect us," he stressed. The committee was at-ease from 3:40 p.m. to 3:44 p.m. 3:44:39 PM CHAIR ANDERSON moved to adopt CSHB 226, Version I, as the working document. There being no objection, Version I was before the committee. 3:46:11 PM GEORGE BERRY, Teamsters Local 959, informed the committee that he works in the oil and gas industry through the Teamsters union. He related that he and his coworkers are very concerned with these types of businesses operating seemingly unregulated. Mr. Berry noted that the legislation appears to require a remedy for the individual to whom harm is done from poor or inaccurate reporting, or theft or disclosure of information to an unknown third party, and for that he thanked the sponsor. He stressed the need to keep an individual's right to privacy at the forefront when [employers] perform background checks. Mr. Berry related that this will be implemented in the [oil and gas industry] in the near future and thus there is the desire to be sure that the appropriate protections are in place in the [employee's] contract language. 3:48:24 PM JOHN GEORGE, Lobbyist, American Council of Life Insurers; Property Casualty Insurance Association of America, acknowledged that insurance companies have much of this sensitive information, such as social security numbers. The insurance companies are concerned with regard to protecting such information. He related that generally, the insurance [industry] supports the concept of HB 266, which seems to be a national movement. He mentioned that this concept has been introduced in about 28 states. Mr. George informed the committee that Congressional legislation, which is essentially the earlier mentioned California bill, has been introduced. The aforementioned, national approach, is probably better than having each state pass it's own legislation, possibly with slight differences. Therefore, he urged the committee to consider that. Mr. George related that the organizations he represents believe that privacy of information and disclosure of any breach of this type of information should apply to everyone. Although this legislation doesn't specifically state that it applies to governmental entities, the sponsor has related that the reference to "any person" does include the state and other governmental entities, he noted. MR. GEORGE further informed the committee that his clients are also concerned with regard to information that's being acquired and information that's being accessed. He explained that one can acquire something, but not have access to it because it's encrypted data. In that case, there really isn't a breach of information. Again, the sponsor believes the aforementioned concern is addressed. Mr. George pointed out that the legislation refers to encryption, which is the current technology used to protect information. However, in the future there may be other applications, and therefore he suggested that the language should be broadened to refer to "encryption or other technology that prohibits access to the data". He noted that because other states are adopting similar legislation, companies already have notification processes in mind. Therefore, he expressed the need to have the notification process be consistent with the law as long as it meets the specified timeframes to get the notice out, even if a bit different than what's prescribed in the law. Thus, companies could use the same notice procedures in all states. He informed the committee that the sponsor has agreed to meet with him and discuss his concerns. 3:51:47 PM REPRESENTATIVE GUTTENBERG asked if anyone used a more generic, board language than "encryption." MR. GEORGE replied yes, and suggested that the language "any other method or technology that renders the personal information unreadable or unusable" would include future technology that's developed. BARBARA HUFF TUCKNESS, Director, Governmental and Legislative Affairs, Teamster Local 959, related her support of HB 226. She said that Mr. George adequately covered her concerns with regard to background checks. For smaller employers that [financially] don't have access to a secure system for background checks, something in statute would be appropriate. Ms. Huff Tuckness noted that she is working with the sponsor to address the background check, the chain of custody, and how documents received on an employee are handled through the processing company or the specific employer. CLYDE SNIFFEN, Assistant Attorney General, Civil Division (Anchorage), Department of Law, informed the committee that the department reviewed HB 226 for legal concerns for which it has none. Mr. Sniffen opined that HB 226 will help address some of the earlier mentioned security breach issues. STEVE CLEARY, Executive Director, Alaska Public Interest Research Group (AkPIRG), applauded the committee's quick action in addressing this national problem. He informed the committee that he just learned that about 185,000 GM MasterCard holders had their personal information breached again. The question is how and when these people will be notified as well as how best these people can protect themselves. DAN SIMIEM, President, Laborers Local 942, stated his support of HB 226. Mr. Simiem pointed out that companies that retrieve and bank this data should have some kind of firewall protection. He offered his understanding that the problem comes when these companies go to smaller [entities], which tend to open the portals to the information. Therefore, he requested that be given consideration. 3:56:54 PM REPRESENTATIVE LYNN highlighted that the legislation refers to businesses that use personal information. He noted that when he gets new software, it has to be registered, which includes personal information. He asked if that would be included under HB 226 or would it be limited to large companies such as ChoicePoint. REPRESENTATIVE GARA clarified that [under HB 226] if information on an individual held by any government entity or company has been breached, the individual(s) have to be told. He surmised that Representative Lynn is alluding to the companies that sell information, for which legislation was introduced last year. He said that it's probably worth another look. Representative Gara clarified that HB 226 relates to stolen information rather than the sale of information. He mentioned his concern that the sale of information may be regulated by federal law and thus the state may not be able to address it. In further response to Representative Lynn, he specified that HB 226 doesn't change anything in regard to entering information for a computer information form, for example. However, he said that is of concern as well. 3:58:48 PM REPRESENTATIVE GUTTENBERG turned to the situation in which a site from which one has downloaded information pulls data from an individual's computer and uses the data. The aforementioned is a breach of the individual's security. He suggested that most people don't have firewalls on their home computers. He asked if the aforementioned situation is addressed in HB 226. REPRESENTATIVE GARA reiterated that HB 226 addresses companies that have individuals' personal information and [the notification procedures] required when they discover that the information has been stolen. This legislation merely says that once the company finds out that the information has been stolen, they have to inform the individuals immediately. The sale of an individual's information is of great concern, but he said he didn't know how to regulate it at this point. REPRESENTATIVE LEDOUX posed a situation in which an individual took information from one of these companies that stores data and then sells it. She inquired as to what would happen. REPRESENTATIVE GARA reiterated that HB 226 protects people when there has been an unauthorized use of their information. Therefore, if a company that holds data discovers that someone has taken data without the company's consent, then the company has to inform those whose data was taken. He said he wasn't sure of the federal rules regarding a situation in which the person who took the information subsequently sells it. 4:01:27 PM REPRESENTATIVE LEDOUX asked whether "they" have to tell [the individual] that his or her information is being sold. REPRESENTATIVE GARA specified that this legislation doesn't address the sale of the information that has been authorized by the company housing the data. Again, this is an issue that should be reviewed, but he said he didn't know how to address it at this point. 4:01:45 PM REPRESENTATIVE GUTTENBERG surmised that it would address the Commerce Clause. He inquired as to how those companies that are located out of state or out of the country would be addressed. REPRESENTATIVE GARA highlighted that this legislation includes a provision that specifies that it applies to the full extent the constitution allows. Generally, if there is an out-of-state company that is selling personal information of Alaskans, the company has "touched us enough" that the state can regulate it. Therefore, this legislation applies to companies located out of state if they use the information of Alaskans. CHAIR ANDERSON, upon determining there were no further questions, closed public testimony. [HB 226 was held over.]
| Document Name | Date/Time | Subjects |
|---|